In association with heise online

22 September 2009, 09:51

Testing email encryption

Diagnosing POP3, IMAP and SMTP via SSL

by Jürgen Schmidt

SSL plumbing

For diagnostic purposes, it can be very useful to talk directly to your SMTP or IMAP server. Things get a little more complicated when encryption rears its ugly head, but with the right tools, it doesn't have to be a black art.

Almost all mail servers offer the option of encrypting connections. Two different procedures are used – either the entire service protocol is sent via an SSL tunnel or a protocol extension called "StartTLS" is used to activate encryption after establishing the connection.

Taking SSL services first, these usually run on dedicated, specially defined TCP ports. Here is a short list of the more important ports:

Service Abbreviation TCP port
HTTP over SSL https 443
IMAP over SSL imaps 993
IRC over SSL ircs 994
POP3 over SSL pop3s 995
SMTP over SSL ssmtp 465

The service listening at the TCP port expects a direct SSL connection so, for example, email clients which don't support SSL can't communicate with IMAPS servers on port 993. Once encryption parameters have been negotiated and certificates exchanged you have a tunnel, through which the actual payload protocol passes. Due to the complications involved in establishing an SSL connection, when it comes to troubleshooting, standard tools such as telnet and netcat tend to come up short.

Into the breach steps the universal OpenSSL, which includes a simple SSL client that can easily be used to set up a connection to an SSL service such as

$ openssl s_client -host -port 443
Certificate chain
 0 s:/C=DE/ST=Niedersachsen/L=Hannover/O=Heise Zeitschriften Verlag GmbH Co KG/OU=Netzwerkadministration/OU=Terms of use at (c)05/
  i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/ Ref. LIABILITY LTD.(c)97 VeriSign
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/ Ref. LIABILITY LTD.(c)97 VeriSign
  i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

the information provided by openssl allows us to examine the certificates used. Indeed failure to do so lays us open to man-in-the-middle attacks. Technically accomplished users who known how to use ettercap have reputedly used this technique to obtain administrator passwords.

The SSL client encrypts and decrypts the input and output channels transparently, allowing the user to talk directly to the server:

GET / HTTP/1.1

HTTP/1.1 302 Found
Date: Wed, 16 Sep 2009 10:24:44 GMT
Server: Apache/1.3.34

Next: Logging in to IMAPS

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit