Home » Commands & Shells, Postfix
You can obtain the most pertinent information about the cert as follows:
This will give you issuer/recipient, subject, fingerprint and expiration for the cert. You can also get all the information about the cert using this command:
If the server is using a non-standard port, you can use nmap to find open ports:
If you’re feeling unusually lazy and absolutely cannot be bothered, here’s a scripted version where you only need to supply the target domain:
Verify Email SSL Certificate from CLI
Just a quick reference for validating SSL certs on mail servers. This is not something I have to do often, but when the need arises, I find myself googling the answer every single time. So finally I decided to document the process.
First, obtain the list of mail servers for the domain of your interest. In the example below we get a list of servers ordered by MX record priority:
d="gmail.com" ; dig ${d} MX 2>/dev/null | grep ^${d} | sort -r -k5 | awk '{print $NF}' | sed 's/\.$//g'
gmail-smtp-in.l.google.com
alt4.gmail-smtp-in.l.google.com
alt3.gmail-smtp-in.l.google.com
alt2.gmail-smtp-in.l.google.com
alt1.gmail-smtp-in.l.google.com
You can obtain the most pertinent information about the cert as follows:
echo | openssl s_client -connect gmail-smtp-in.l.google.com:25 2>/dev/null -starttls smtp | openssl x509 -noout -issuer -subject -hash -fingerprint -dates issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2 subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com bc0b6639 SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1 notBefore=Feb 18 10:14:15 2015 GMT notAfter=Dec 31 00:00:00 2015 GMT
This will give you issuer/recipient, subject, fingerprint and expiration for the cert. You can also get all the information about the cert using this command:
echo | openssl s_client -connect gmail-smtp-in.l.google.com:25 2>/dev/null -starttls smtp | openssl x509 -noout -text
If the server is using a non-standard port, you can use nmap to find open ports:
nmap -q -p T:25-500 gmail-smtp-in.l.google.com 2>/dev/null | grep -E "^[1-9]{1,}/.*open" | grep -oE "^[1-9]{1,}"
25If you’re feeling unusually lazy and absolutely cannot be bothered, here’s a scripted version where you only need to supply the target domain:
#!/bin/bash
if [ ! "" ] ; then echo "Specify doman" ; exit 1 ; fi
if [ ! -x `which nmap` ] ; then echo "Nmap is not installed or is not in your $PATH" ; exit 1 ; fi
d=""
for server in `dig ${d} MX 2>/dev/null | grep "^${d}" | grep -oE "(\s|\t)([[:alnum:]_-]{1,}\.){1,}" | sed -r 's/[[:space:]]|(\.$)?//g'`; do if [ `dig +short ${server} | grep -c .` -gt 0 ] ; then if [ `nmap -Pn -p T:24 ${server} | grep -c "^Host is up"` -gt 0 ] ; then echo "Scanning for open ports on ${server}" ; nmap -q -Pn -p T:25-500 ${server} 2>/dev/null | grep -E "^[1-9]{1,}/.*open" | grep -oE "^[1-9]{1,}" | while read port; do echo "Checking ${server}:${port}"; echo | openssl s_client -connect ${server}:${port} 2>/dev/null -starttls smtp | openssl x509 -noout -issuer -subject -hash -fingerprint -dates 2>/dev/null & sleep 5 ; kill $! 2>/dev/null; echo ""; done; fi; fi; done
Checking gmail-smtp-in.l.google.com:25
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
bc0b6639
SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1
notBefore=Feb 18 10:14:15 2015 GMT
notAfter=Dec 31 00:00:00 2015 GMT
Checking alt4.gmail-smtp-in.l.google.com:25
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
bc0b6639
SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1
notBefore=Feb 18 10:14:15 2015 GMT
notAfter=Dec 31 00:00:00 2015 GMT
Checking alt3.gmail-smtp-in.l.google.com:25
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
bc0b6639
SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1
notBefore=Feb 18 10:14:15 2015 GMT
notAfter=Dec 31 00:00:00 2015 GMT
Checking alt2.gmail-smtp-in.l.google.com:25
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
bc0b6639
SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1
notBefore=Feb 18 10:14:15 2015 GMT
notAfter=Dec 31 00:00:00 2015 GMT
Checking alt1.gmail-smtp-in.l.google.com:25
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
bc0b6639
SHA1 Fingerprint=F1:3A:D2:48:92:5B:5C:CC:F9:12:9B:C9:E3:E0:CA:03:F1:DE:74:B1
notBefore=Feb 18 10:14:15 2015 GMT
notAfter=Dec 31 00:00:00 2015 GMT
![wyryr1sn52gntzn65v4fpz5lc6v[1]](https://i2.wp.com/www.krazyworks.com/wp-content/uploads/2021/08/wyryr1sn52gntzn65v4fpz5lc6v1-80x80.jpg "Plundering Facebook Photo Albums")
![clfud46mxf2t5zph2l04zlpgl1d[1]](https://i2.wp.com/www.krazyworks.com/wp-content/uploads/2021/08/clfud46mxf2t5zph2l04zlpgl1d1-80x80.jpg "Scraping a Web Page in Bash")
![DSCF5361[1]](https://i1.wp.com/www.krazyworks.com/wp-content/uploads/2020/10/DSCF53611-80x80.jpg "Processing Videos with ffmpeg and Lightroom")
![Cat-Devouring-A-Bird-Pablo-Picasso[1]](https://i0.wp.com/www.krazyworks.com/wp-content/uploads/2020/10/Cat-Devouring-A-Bird-Pablo-Picasso1-80x80.jpg "Searching Twitter")
![91ebozy1e3b138waujy28agrngy[1]](https://i2.wp.com/www.krazyworks.com/wp-content/uploads/2021/08/91ebozy1e3b138waujy28agrngy1-80x80.jpg "Generating Random Text Files for Testing")
![iwoau71okwxqh4jv3k4ook32qps[1]](https://i2.wp.com/www.krazyworks.com/wp-content/uploads/2021/08/iwoau71okwxqh4jv3k4ook32qps1-80x80.jpg "Finding Cron Jobs")
![5gtysva4wkc8mzc1k3e66vaycxx[1]](https://i1.wp.com/www.krazyworks.com/wp-content/uploads/2021/08/5gtysva4wkc8mzc1k3e66vaycxx1-80x80.jpg "Understanding Memory Utilization in Linux")
![sy2zeb1vp2h8itlxfbbylw0jrm0[1]](https://i0.wp.com/www.krazyworks.com/wp-content/uploads/2019/12/sy2zeb1vp2h8itlxfbbylw0jrm01-80x80.jpg "Validating HTTPS Cache Peers for Squid")
![Photo-2019-10-07-14-39-03_0266[1]](https://i1.wp.com/www.krazyworks.com/wp-content/uploads/2019/11/Photo-2019-10-07-14-39-03_02661-80x80.jpg "Verifying SNMP Connectivity on Multiple Hosts")
