A cuban around the globe

Verify SSL/TLS certificate of an email server

Currently, it is possible to obtain a free StartSSL certificate for our mail server (Postfix / Dovecot). Although using Let’s Encrypt certificates is more common and straightforward, as it allows deploying certificates with a duration of approximately 3 months, which are easy to renew and can be automated with a simple cron job, having certificates on our servers or when accessing third-party servers provides security by ensuring that our communication is not being intercepted.

Now, what happens if we encounter problems with the certificate when trying to connect to a email server, or if a user notifies us that our server is experiencing issues?

In such situations, it is always possible to check the status of the certificate using the following commands:


To check the SMTP connection without encryption:

openssl s_client -connect -starttls smtp


To check the SMTP connection with SSL/TLS encryption:

openssl s_client -connect


To find out the expiration date of the certificate, additionally:

openssl s_client -connect -starttls smtp | openssl x509 -dates -noout
penssl s_client -connect -starttls smtp | openssl x509 -dates -noout


To verify the IMAPS connection (with SSL/TLS encryption) in Dovecot:

openssl s_client -showcerts -connect -servername | openssl x509 -dates -noout


To find out the expiration date of the certificate, additionally:

penssl s_client -showcerts -connect -servername | openssl x509 -dates -noout

These commands will allow you to diagnose and ensure the validity of the certificates on your mail servers. In future articles, I will explain how to add Let’s Encrypt certificates to Postfix and Dovecot.

Leave a Reply

Your email address will not be published. Required fields are marked *.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>