Hey,
Kind of strange that this works. Port 587 (submission) is usually set up to use
STARTTLS, just like port 25 (smtp) so you would need specify -starttls smtp an
an option to openssl s_client. Port 465 (submissions, formerly known as smtps)
would work with mandatory TLS if the server supports that.
Are you sure you are testing correctly?
I would expect these to work:
$ openssl s_client -connect mail.foobar.com:587 -starttls smtp </dev/null
$ openssl s_client -connect mail.foobar.com:587 -starttls smtp -tls1_2
</dev/null
$ openssl s_client -connect mail.foobar.com:587 -starttls smtp -tls1_3
</dev/null
you are absolutly correct. When i add the -starttls part i get a much
better result. I am still confused why my version still printed "Verify
return code: 0 (ok)" but you are right, that was wrong.
When i use it with -starttls, then i get the following error:
# openssl s_client -showcerts -connect mail.felberbrot.at:587 -starttls smtp
CONNECTED(00000003)
depth=0 CN = *.foobar.com
verify error:num=20:unable to get local issuer certificate
verify return:1
write W BLOCK
So yeah, seams like they have an issue in there certificate chain. I
also tested this on an Alpine Linux, got the exact same error. So i
assume that's there problem.
Sorry for the noise!
Thanks for the help and greetings
Leo
