Test SSL Imap Connection

To see how this inclusion page fits in with similar ones, perhaps see one of

Testing a Recently Changed Mail Server Certificate

It is not easy to check what certificate is being presented using the ThunderBird mail client.

However, you should verify that both host certificate and the OrganizationSSL Intermediate Root Certificate have been installed correctly. ThunderBird will show you the chain of certificates.

You can ensure ThunderBird gets the certificates from the mail server by creating a new, empty profile using

    arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager

Choose "Create Profile" and then complete the one-step wizard to create a new empty profile (you just need to choose a name). Then click on that profile to start a session using it. You will be asked to set up an account. When asked for imap and smtp server, enter a version of the name which will not actually match the full name in the certificate you wish to test. For example, enter just plg.cs instead of plg.cs.uwaterloo.ca. If the host uses imaps and not TLS under imap the profile will fail initially, and you will need to find and click [View settings for this account] and [Server Settings] and change the connection type to SSL. If you then click on Inbox, you should get a warning about the name mismatch, in a dialog box which allows you to [View Certificate].


should show you the Intermediate Certificate as GlobalSign Organization Validation CA; you should be able to confirm its validity dates (Although the procedure is a little painful). There does not appear to be any way to save or export any of the certificates.

Although this facility should remain available in future ThunderBird, details of the interface will probably change.

For tidiness, you probably want to immediately delete your new profile using the dialog generated by:

    arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager
and then selecting it for [Delete].

Using openssl command to check Mail Server Certificates

The openssl command has an s_client sub-command which can be a simple client for SSL smtp, imap, pop or ftp.
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:465
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect mail.cs.uwaterloo.ca:25
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:imaps
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect plg2.cs.uwaterloo.ca:110
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect plg2.cs.uwaterloo.ca:995

I had to hunt around for a pop3 example, because that is being shut down. The output from the above is lengthy, and includes the main server certificate. You can use the openssl command to view its details.

Other options can be given to the above. Most useful might be -showcerts which will show the entire certificate chain. Also -CAfile <file> or -CApath <dir>.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap

-starttls http is not supported, since there is no such concept. But since https is a standard SSL protocol port, the following does work to view the certificate used by https:

   arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect cs.uwaterloo.ca:443

Since openssl x509 -text does ignore information outside the recognized CERTIFICATE area, the above commands can all be piped directly into it.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

There might be a little untidy stderr output at the beginning, so...

    arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text



This topic IncludeCertTestImap is referred to by...

-- AdrianPepper - 2013-Jul-08

Topic revision: r6 - 2013-07-08 - AdrianPepper
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback