Currently, it is possible to obtain a free StartSSL certificate for our mail server (Postfix / Dovecot). Although using Let’s Encrypt certificates is more common and straightforward, as it allows deploying certificates with a duration of approximately 3 months, which are easy to renew and can be automated with a simple cron job, having certificates on our servers or when accessing third-party servers provides security by ensuring that our communication is not being intercepted.
Now, what happens if we encounter problems with the certificate when trying to connect to a email server, or if a user notifies us that our server is experiencing issues?
In such situations, it is always possible to check the status of the certificate using the following commands:
Postfix
To check the SMTP connection without encryption:
openssl s_client -connect mail.example.com:25 -starttls smtp
To check the SMTP connection with SSL/TLS encryption:
openssl s_client -connect mail.example.com:465
To find out the expiration date of the certificate, additionally:
openssl s_client -connect mail.example.com:25 -starttls smtp | openssl x509 -dates -noout
penssl s_client -connect mail.example.com:465 -starttls smtp | openssl x509 -dates -noout
Dovecot
To verify the IMAPS connection (with SSL/TLS encryption) in Dovecot:
openssl s_client -showcerts -connect smtp.example.com:993 -servername smtp.lambdaforge.io | openssl x509 -dates -noout
To find out the expiration date of the certificate, additionally:
penssl s_client -showcerts -connect smtp.example.com:993 -servername smtp.lambdaforge.io | openssl x509 -dates -noout
These commands will allow you to diagnose and ensure the validity of the certificates on your mail servers. In future articles, I will explain how to add Let’s Encrypt certificates to Postfix and Dovecot.
