Hey,
> Kind of strange that this works. Port 587 (submission) is usually set up to use STARTTLS, just like port 25 (smtp) so you would need specify -starttls smtp an an option to openssl s_client. Port 465 (submissions, formerly known as smtps) would work with mandatory TLS if the server supports that.
>
> Are you sure you are testing correctly?
>
> I would expect these to work:
> $ openssl s_client -connect mail.foobar.com:587 -starttls smtp </dev/null
> $ openssl s_client -connect mail.foobar.com:587 -starttls smtp -tls1_2 </dev/null
> $ openssl s_client -connect mail.foobar.com:587 -starttls smtp -tls1_3 </dev/null
you are absolutly correct. When i add the -starttls part i get a much
better result. I am still confused why my version still printed "Verify
return code: 0 (ok)" but you are right, that was wrong.
When i use it with -starttls, then i get the following error:
> # openssl s_client -showcerts -connect mail.felberbrot.at:587 -starttls smtp
> CONNECTED(00000003)
> depth=0 CN = *.foobar.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> write W BLOCK
So yeah, seams like they have an issue in there certificate chain. I
also tested this on an Alpine Linux, got the exact same error. So i
assume that's there problem.
Sorry for the noise!
Thanks for the help and greetings
Leo
No comments:
Post a Comment