Current Articles | RSS Feed
OpenSSL, the open source toolkit for implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, is an everyday essential for most Linux admins responsible for secure networking. But OpenSSL includes a wealth of features that even grizzled veterans may not be familiar with. You can use OpenSSL to test POP and IMAP servers, and test server connection speeds, among other interesting tricks.
When you roll out a new mail server, or make changes to an old one, good old telnet is still the standby for testing unencrypted POP and IMAP server sessions. But what about servers that use TLS/SSL encryption? Telnet can't talk to these. The fastest and easiest way to test these is to use OpenSSL's s_client option. s_client is a generic SSL/TLS client for testing all servers that use TLS/SSL.
s_client
To test a POP server, first send yourself a batch of test messages so you have something to work with. Connect to a POP3S server using its domain name or IP address and port number; 995 is the standard POP3S port:
$ openssl s_client -connect mailserver.com:995
You'll see a lot of chatter fly by, ending with something like this:
Verify return code: 18 (self signed certificate)---+OK Hello there.
That response indicates a Courier POP3 server. Dovecot, the other popular POP3 server, responds like this:
Verify return code: 18 (self signed certificate)---+OK Dovecot ready.
Courier is shy, I suppose, and doesn't want to identify itself. Either response verifies that the server is running and responding to client requests, and that TSL/SSL encryption is operational. If you're interested in more details, you can capture the rather lengthy output for further examination with the tee command, which directs command output to a text file, and also displays it on screen:
tee
$ openssl s_client -connect mailserver.com:995 | tee pop3s.txt
If the output looks correct and it's not reporting any problems with your SSL certificates, then your server is most likely in good order and ready to go to work. If not, you may see this common error message:
Verify return code: 20 (unable to get local issuer certificate)
This means OpenSSL can't find your store of trusted certificate authorities (CA). Every Linux installation comes with a default store for the big commercial CAs like Verisign, Thawte, and Comodo, plus any that you add while web surfing or using email. (Like when you visit a website and Firefox throws up some scary warnings about the site uses an untrusted CA, and are you really sure you want to go there, and do you want to add an exception. Which is a bunch of silliness we'll discuss another time.) You can tell s_client where the CA for your mailserver is:
$ openssl s_client -connect mailserver.com:995 -CApath /etc/ssl/certs/
It should then say Verify return code: 0 (ok).
Verify return code: 0 (ok)
Now you can check your email and see if your test messages arrived. Type the commands in bold below, using your own login. The non-bold lines are the server responses:
$ +OK Dovecot readyuser carla+OKpass password+OK Logged in.stat+OK 2 4761list+OK1 22322 2531.retr 1+OK 2232 octetsReturn-path:<admin@test.net>[...]
stat tells you how many messages are in your inbox, and their size. list lists your messages. retr retrieves and displays them by list number, with all of the headers and then the body of the message. When you're finished type quit.
stat
list
retr
quit
Testing an IMAP server requires using a different set of commands. Again, the lines in bold are commands that you type. I snipped some of the server output for brevity:
$ openssl s_client -connect mailserver.com:993[...]* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.. login carla password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE [...] LIST-STATUS QUOTA] Logged in. list "" "*" LIST (\HasChildren) "." "INBOX"* LIST (\HasNoChildren) "." "INBOX.work"* LIST (\HasNoChildren) "." "INBOX.personal"* LIST (\HasNoChildren) "." "INBOX.Trash". examine INBOX* FLAGS (\Answered \Flagged \Deleted \Seen \Draft Junk NonJunk $Forwarded)* OK [PERMANENTFLAGS ()] Read-only mailbox.* 1 EXISTS* 1 RECENT* OK [UNSEEN 1] First unseen.[...]. OK [READ-ONLY] Select completed.. fetch 1 rfc822.text* 1 FETCH (RFC822.TEXT {9}test message, do not read. Kthx.). OK Fetch completed.
. logout ends the session. The list "" "*" command lists all your mailboxes, and examine INBOX means list the messages in the INBOX. fetch 1 rfc822.text displays the message only, without headers. Note the leading dot; that is a command tag, and it is required. The tag can be any character or combination of characters, without spaces, and it must precede every command you enter. IMAP will tag its replies with your chosen command tag, though for some reason it replaces the dot with an asterisk. If you use numbers or letters it will use those, which you can easily see for yourself by trying different tags. IMAP allows multiple connections, so the tags tell you which connection the commands and responses belong to.
. logout
list "" "*"
examine INBOX
fetch 1 rfc822.text
RFC 1939 details all of the POP3 commands and the correct steps in a session, and RFC 3501 details IMAP4.
OpenSSL comes with a built-in benchmark suite that includes a connection speed test:
$ openssl s_time -cipher DHE-RSA-AES256-SHA -connect mailserver.com:993
I copied the cipher list from an s_client session, in which the server tells you which ciphers it supports. You can also run the test without specifiying any ciphers. OpenSSL will complain but run the test anyway. Usually it runs slower when you don't specify the ciphers, so if your mail client lets you choose which cipher to use you might see faster performance.
You can use this command on any server, such as an HTTPS-enabled web server:
$ openssl s_time -connect webserver.com:443
The OpenSSL man pages are not as detailed or helpful as they could be about this topic. One way to get more information is to run a command the wrong way, like openssl s_time foo. OpenSSL will respond with an option summary. If you prefer a good howto book, Implementing SSL / TLS Using Cryptography and PKI by Joshua Davies is one of the best books on the subject, and it's up to date. If you don't want to spend money, you can download the OpenSSL source and review the documentation bundled with the sources.
openssl s_time foo
Finally, for your convenience, here is a list of the standard web and mail server ports; of course /etc/services on any Linux system contains a complete list:
Allowed tags: <a> link, <b> bold, <i> italics