

Test your email server encryption - Sami_Lehtinen
https://ssl-tools.net/mailservers/

======
Someone1234
Not loving the "shame" list. It would discourage me from trying a public
domain on the site.

~~~
dewey
I agree, it's also not that great to have a list of "Insecure web servers"
[0], there should be a "don't show checked site in public results" checkbox
like on ssllabs.com's certificate tests.

[0] [https://ssl-tools.net/webservers](https://ssl-tools.net/webservers)

------
spindritf
I can send an e-mail to them but they cannot connect to my server. It times
out on STARTTLS.

Nevermind. I penalize suspect servers with a 30 seconds delay and they
triggered it.

    
    
        H=ssl-tools.net (ssl-trust.com) [91.202.41.201] Warning: remote host presented unverifiable HELO/EHLO greeting.

------
dewey
I just checked one of my email providers and I get the following results:

\- Hostname: mail.example.com

\- StartTLS: supported

\- Certificates: www.spamfirewall.at -Certificate does not match hostname

    
    
       Certificate chain:
       www.spamfirewall.at
       337 days remaining  2048 bit sha1WithRSAEncryption
       Root certificate unknown
    

\- Perfect Forward Security: unsupported

\- DANE: Missing

I use a SSL certificate for my domain example.com. Is there something I have
to do to fix that or is this only something the provider needs to take care
of?

~~~
JoachimSchipper
I guess that you simply pointed mail.example.com to www.spamfirewall.at? I
would _expect_ your setup to work if you'd instead point your MX record at
www.spamfirewall.at, so that the certificate will match what the sender
expects to see.

IIRC, SpamAssassin (slightly) penalizes e-mail coming from anything except
mail.example.com and smtp.example.com, so it would be preferable to get your
mailserver to use mail.example.com with an appropriate certificate. But if
this is indeed an external service, you may not want to give them the private
key of a mail.example.com certificate.

In any case, it's worrying if they're vulnerable to Heartbleed, but it's not
_that_ bad if SSL doesn't work - mail will still be sent in plaintext if the
sender's mail server does not support it, or if you're actually under (man-in-
the-middle-)attack, so you should treat e-mail as fairly untrusted anyway.

~~~
dewey
Hey,

thanks for your reply. They are not vulnerable to Heartbleed and I never
pointed my domain to their anti-spam tool, it's just something they were
offering and set up for their customers I think. I'll just contact them with a
link to the test and ask what's up.

Good point about being penalized by SpamAssassin, I'll look into that!

------
mike-cardwell
I think I win? [https://ssl-tools.net/mailservers/grepular.com](https://ssl-
tools.net/mailservers/grepular.com)

------
teddyh
See also ([https://starttls.se/](https://starttls.se/)).

------
abcd_f
This incorrectly flags primary mail server as insecure if secondary server is
unreachable.

~~~
josephlord
To be fair it should say unknown rather than insecure if the secondary can't
be accessed and it can't confirm that it is secure and you should assume an
attacker able to perform a Man in the Middle attack on you could disrupt your
traffic sufficiently to force the fallback to to the secondary server.

Although does the validity of the incoming mail servers certificates actually
matter? In an ideal world other hosts would never send to improperly signed
hosts or without TLS but that clearly is not the case so I'm not sure what
current practical value having proper certificates actually has. In the longer
term by pushing people to adopt proper certs it may become practical for
people to turn off sending to servers without proper certificates so this may
be better seen as part of a long term effort.

