Articles in this section

See more

How to verify that SSL for IMAP/POP3/SMTP works and the proper certificate is installed using Linux

Avatar
Alexandr Tumanov
Updated
Follow

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux
  • Plesk 11.x for Linux
  • Plesk 12.0 for Linux

Question

How to verify that SSL for IMAP/POP3/SMTP works and proper certificate is installed?

Answer

Note: To change the default certificates, visit How to сhange the default certificates for SMTP, IMAP, and POP3 over SSL article.

 

Without SSH connection

Online SSL test can be performed on https://www.sslshopper.com/ssl-checker.html or https://www.ssllabs.com/ssltest/ also, however, manual test gives direct result and more complete as SSLLabs does not test IMAP SSL.

 

Using SSH connection to any server

Any other Linux server can be used to test your one. If you don't have another Linux server, use online test above or try finding online Linux shells.

To do this, you should be connected to any Linux server via SSH

To verify SSL please use the following commands:

  1. IMAP via SSL uses 993 port by default:

    a. connect to mail server using openssl :

    # openssl s_client -showcerts -connect mail.example.com:993

    b. Check output and make sure that valid certificate is shown:

    CONFIG_TEXT: Server certificate
    subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2

    c. Make sure that you received IMAP server response:

    CONFIG_TEXT: * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.

  2. POP3 via SSL uses 995 port by default:

    a. connect to mail server using openssl :

    # openssl s_client -showcerts -connect mail.example.com:995

    b. Check output and make sure that valid certificate is shown:

    CONFIG_TEXT: Server certificate
    subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2

    c. Make sure that you received POP3 server response:

    CONFIG_TEXT: +OK Hello there. <1793.1385684315@localhost.localdomain>

  3. SMTP via SSL uses 465 port by default:

    a. connect to mail server using openssl :

    # openssl s_client -showcerts -connect mail.example.com:465

    b. Check output and make sure that valid certificate is shown:

    CONFIG_TEXT: Server certificate
    subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2

    c. Make sure that you received SMTP server response:

    CONFIG_TEXT: 220 mail.example.com ESMTP Postfix

Comments

4 comments

Sort by Date Votes
  • Avatar
    Henri Pelkonen

    I have similar problem, as OVH Let's encrypt SSL won't work, and mail certifies by domain always resort to ovh address.

    0
    Permalink
  • Avatar
    Lev Iurev

    @Henri, could you please describe the issue in more details?

    0
    Permalink
  • Avatar
    Henri Pelkonen (Edited )

    @Lev Iurev

    Hi,

    For starters I must say I'm very new to this and this is my first server setup with Plesk and mail server.

    Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?

    The problem is that I can't make sertificate now for my OVH vps cause number of *.ovh.net certs are restricted by Let's Encrypt. So should I get a own domain for vps and plesk server and get sertificate to that or could and should I get separate domain name sertificates to work with each domain? As for now the domains seems to show vps plesk self signed certificate even though they are set to Let's Encrypt via Plesk panel.

    Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct? Do I just need some refresh? I have use something like for now:

    true | openssl s_client -connect YOUR-DOMAIN.COM:995 | openssl x509 -noout -text | grep DNS:
    0
    Permalink
  • Avatar
    Artyom Baranov


    @Henri Pelkonen,

    >Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?

    I would use free Let's Encrypt certificates to secure my domains.

    >Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct?

    Make sure that SSL/TLS support is enabled and Let's Encrypt certificate is selected in Domains > example.com > Hosting Settings > Security

    Afterwards, use the following command to check which cert is used for a domain (where example.com is the domain name):

    # openssl s_client -showcerts -servername example.com -connect example.com:443

     

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles