Re: Checking Remote TLS?

AndrewR_ironport · ‎05-19-2009

We've just set up TLS on our C350's and have had a few hosts failing to verify when sending to them (currently set to prefer-verify). One of the hosts is MessageLabs, who I would have thought would be competent enough to put a proper SSL in place!

Is there any way to connect to them, request it and see what the cert actually is? Or alternatively a better way? The logs say there's a self signed certificate in the chain..

kyerramr · ‎05-26-2009

Outside the scope of IronPort, you could use openssl utility and connect to the Message labs MTA and issue starttls. This should give you the complete chain of the cert and show if it is incorrectly chained or cannot be validated.

-Kishore

meyd45_ironport · ‎06-24-2009

Try something like:

openssl s_client -starttls smtp -crlf -showcerts -connect cluster6a.eu.messagelabs.com:25

J.

steven_geerts · ‎06-27-2009

this Forum is gaining in usefulness every time!

i was seeking for the SSL test syntax for a long time but did not manage to find it. (maybe that says something about my "google capacities" )

thanks for posting this!

Steven

Andrew Wurster · ‎07-11-2009

Steven -

This would be an awesome feature to request on our ESA's with the help of your Cisco IronPort sales account team! +1 for a good idea.

Cheers!

Andrew