[Cryptography] How to get certificates on email server?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Apr 18 17:59:54 EDT 2016
On Mon, Apr 18, 2016 at 06:56:40PM -0000, John Levine wrote:
> $ openssl s_client -starttls smtp -connect hostname:port
Make that:
$ hostport=smtp.example:587 # Season to taste
$ (sleep 2; printf "QUIT\r\n") |
openssl s_client -showcerts -starttls smtp -connect $hostport |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text -out chain.pem
Which dumps the entire chain into "chain.pem".
That's for STARTTLS on port 25 and 587. For "smtps" on port 465
drop the "-starttls" option from the s_client(1) command.
Additional tools in this space include "swaks" and "posttls-finger
-C", with the latter not necessarily available with your vendor's
Postfix release, some don't include it in their binary packages.
The posttls-finger source is available with Postfix 2.11 and later.
http://www.postfix.org/INSTALL.html#build_opt
http://www.postfix.org/TLS_README.html#build_tls
The binary is in bin/posttls-finger, but is not automatically
installed.
--
Viktor.
More information about the cryptography
mailing list