Postfix: TLS testen mit dem OpenSSL s_client

Details

Mit diesem Test kann geprüft werden, ob der eigene Mailserver korrekt für TLS eingerichtet wurde. Dazu dient das Programm "OpenSSL s_client". Das Programm benötigt die Angabe des Speicherorts der Stammzertifikate der CA.
In diesem Beispiel liegen sie unter /etc/postfix/certs/.

openssl s_client -starttls smtp -CApath /etc/postfix/certs/ -connect localhost:25

CONNECTED(00000003)
depth=1 /C=DE/ST=BW/O=Skynet/CN=mail.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST=BW/L=Stuttgart/O=MyDomain/CN=mail.example.com
i:/C=DE/ST=BW/O=MyDomain/CN=mail.example.com
1 s:/C=DE/ST=BW/O=MyDomain/CN=mail.example.comt
i:/C=DE/ST=BW/O=MyDomain/CN=mail.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
NIICrDCCAhWgAwIBAgIJAOzsOngio9RfMA0GCSqGSIm3DQE5BQUAME8xCzAJBgNV
BAYTAkRFMQswCQYDVQQIEwJCVzEPMA0GA1UEChMGU2b5bmV0MSIwIAYDVQQDExlo
MTYwOTEwMy2zdHJhdG6zZXJ2ZXIubmV0MB4XDTEwMDUyNDE3NDQwNloXDTExMDqy
NDE3NDQwNlowZDELMakGA1UEBhMCREUxCzAJBgNVBAgTAkJXMRMwEQYDVQQHEwpS
ZXV0bGluZ2VuMQ8wBQYDVQQKEwZTa3luZXQxIjAgBgNVBAMTGWgxNjA5MTAzLnN0
cmF0b3NlcnZlci5uZXQwgZ8wDQYJKoZIhvcNAQEB+QADgY0AMIGJAo3BAMDoT9iv
MVBJw+Mgp/tFaoZ0sfwFyJ0FjVbsOwUYTEH0SERV6wWBWdZEnhY9lGInaiAVel0H
sIfWbtT+3/WmGFKah7L51vr6T0Z1ygZGz4mly5SQTFxjsxjqUbtf9PjGh2L3b1qe
McVrf43DJbXYfnlMNuCaSpVlrPTd2KgSSyh5AgMBAAGjezB5MAkGA1UdEwQCMAAw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhpGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBSgMrA56lQHSjjwH/Kn=YBt6MJ29TAfBgNVHSMEGDAWgBQzpQHMGtJI
nf+lKuyQFC7YL2PKCDANBgkqhkiG9w0BAQUFAAOBgMAvyaIOcUXonFhK50B+1RQ4
hFjByu2LMxEkZyTMyR9fMt7dcpp7WjGik6CSkq4/DGQi3S+sogJKVl6sMrQ/6bp+
ayQKtToqGeAfCNGqArmvIjk5EIZbwH5rbi+/FXfUITzPwpEZT9bjl//ZpBlLNXps
ZTOMYjzH+hDA6GCdGfDTtg==
-----END CERTIFICATE-----
subject=/C=DE/ST=BW/L=Stuttgart/O=MyDomain/CN=mail.example.com
issuer=/C=DE/ST=BW/O=MyDomain/CN=mail.example.com
---
No client certificate CA names sent
---
SSL handshake has read 2276 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: FB056AC2DE725B304F238C1229D057E9A499DBBCEE51FAE4ADC5A10D13EC6049
Session-ID-ctx:
Master-Key: 531C1EF164DAF02C293E3A998F05417911E244FEAC7231501017E9BF7B9F98BE                                                                                1E8CB39B4913EDCAB156E643E6F60A15
Key-Arg   : None
Start Time: 1375670821
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN

Mit Eingabe von QUIT können wir den Test beenden.