Testing email encryption
Diagnosing POP3, IMAP and SMTP via SSL
by Jürgen Schmidt
For diagnostic purposes, it can be very useful to talk directly to your SMTP or IMAP server. Things get a little more complicated when encryption rears its ugly head, but with the right tools, it doesn't have to be a black art.
Almost all mail servers offer the option of encrypting connections. Two different procedures are used – either the entire service protocol is sent via an SSL tunnel or a protocol extension called "StartTLS" is used to activate encryption after establishing the connection.
Taking SSL services first, these usually run on dedicated, specially defined TCP ports. Here is a short list of the more important ports:
| Service | Abbreviation | TCP port |
| HTTP over SSL | https | 443 |
| IMAP over SSL | imaps | 993 |
| IRC over SSL | ircs | 994 |
| POP3 over SSL | pop3s | 995 |
| SMTP over SSL | ssmtp | 465 |
The service listening at the TCP port expects a direct SSL connection so, for example, email clients which don't support SSL can't communicate with IMAPS servers on port 993. Once encryption parameters have been negotiated and certificates exchanged you have a tunnel, through which the actual payload protocol passes. Due to the complications involved in establishing an SSL connection, when it comes to troubleshooting, standard tools such as telnet and netcat tend to come up short.
Into the breach steps the universal OpenSSL, which includes a simple SSL client that can easily be used to set up a connection to an SSL service such as https://www.heise.de:
$ openssl s_client -host www.heise.de -port 443
CONNECTED(00000003)
[...]
---
Certificate chain
0 s:/C=DE/ST=Niedersachsen/L=Hannover/O=Heise Zeitschriften Verlag GmbH Co KG/OU=Netzwerkadministration/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.heise.de
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
[...]
the information provided by openssl allows us to examine the certificates used. Indeed failure to do so lays us open to man-in-the-middle attacks. Technically accomplished users who known how to use ettercap have reputedly used this technique to obtain administrator passwords.
The SSL client encrypts and decrypts the input and output channels transparently, allowing the user to talk directly to the server:
GET / HTTP/1.1
Host: www.heise.de
<return>
HTTP/1.1 302 Found
Date: Wed, 16 Sep 2009 10:24:44 GMT
Server: Apache/1.3.34
Location: http://www.heise.de/
[...]
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
