How do you properly test an imap:993 connection to determine whether implicit or explicit STARTTLS is set?

StevieD asked:

I’ve been reading many different blog posts and articles over the past hour but none have helped me understand why this command without -starttls:

openssl s_client -crlf -connect mail.example.org:993

results in:

CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mail.example.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISA6BCMzfycJZwD95pvt+RnRZ7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDYwOTU3MDRaFw0y
MTAxMDQwOTU3MDRaMB0xGzAZBgNVBAMTEm1haWwuc21hcnRsdTYzLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0ZmXuFsh5dqlsefcS7r/u6wwvF
YzGOiiQYP7LVWiMj1LOPtu3HULXHW6OaxUKARhguXCdp5LP23wrViX/pKbGXJPTS
+0mRNfFqmnoo6haCGPNH13JZJc9YlYBFQOd6KiiZ8jVBzN+pFZQO2YYh/JazJKy6
vmEpT5x+P5+MxFZqG6l71lCOY0YrxCElV5TJCezRdULc9h8SJwKPAst7nTZK8KA2
gmA8S6OEFJfP0BUV937gol0aPL8vMOvfkNWL3dmkjGmWERC4J4TAm5l0No/L+U67
jqb+Mjd7dpPFo0P6g6ug/IL4HpdMxF5QVY7/axLFTI6YzdBt5ffmMfnwRmkCAwEA
AaOCAmcwggJjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUW7Lmg7fju54qwQlS/M6i
FWUE2C8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghJtYWlsLnNtYXJ0bHU2My5vcmcwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBE
lGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXT9jr8uAAAEAwBHMEUC
IQCc6wmv/LUsEFfK//Ap+36tCPPggYdSHdWbLcoJqQshHQIgbQFkBHePl3H3F+8m
T9rgVzra9njr4ZUjWfTb4KtAfFAAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwv
IAvMTvFk4wAAAXT9jr8lAAAEAwBHMEUCIHON5YkbmUoa8vt3I14M4GtES63E1N4v
puoNDhBwz6oaAiEAy6Sasqsu5D/jTxNgT8OXACaH5+C4Zg1nzm+j3KdNI5AwDQYJ
KoZIhvcNAQELBQADggEBAIGKw4w+Mfji2KNKGCO/K7BVVX3zueBgSt/EHlecI/s2
4z5BFmd5bOuylH4lBSZgt12RrqPO1tz5IJbtfoiXRMstYEOAOhZHFDIhzMAYdS9K
sbAKcisJiDmro51Rt7slu1gRPipwWUfKIeRXU3HrYudctLZCLyVe8M/VaG9elFay
lDcvMsd0PH/EN8obxNSPyb2wradgx3maVT6UmS6DXmQIO24KZLppOk6K+8Jxbyfh
B1aMeqcyxhOQjLVwahaq56z+XzVP1QiyQFzsyRMKxTUyJpwWIZpImrM8+F5dxDVa
cK6XksCoGAoohgSX6zF6Aw2Gl4qTZN7xvRiI6FOg8u4=
-----END CERTIFICATE-----
subject=/CN=mail.example.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4020 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C1697F148A98513C69BA6D10E28E5B094BD80ADAF05C480658F294D71BD15AD7
    Session-ID-ctx:
    Master-Key: 4626C9E4F276AB077457DB574C181F3779207A228779204E325BF747AC6E487CFD0D79847CFD5B7E07DFB02C67DC4165
    Key-Arg   : None
    Start Time: 1602799379
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.

But this command with starttls:

openssl s_client -starttls imap -crlf -connect mail.example.org:993

results in just:

CONNECTED(00000003)

And then just kind of hangs and there doesn’t seem to be a wy to interact with imap.

How do I properly test port 993 to determine if 1) I have explicit or implicit TLS? and 2) determine whether STARTTLS is enabled and working if it is set to explicit?

My answer:


Port 993 is defined as IMAP over TLS, i.e. implicit TLS. This port must always answer with a TLS handshake. STARTTLS may be used on the unencrypted port 143, but it’s best practice to not serve this port at all. See RFC 8314 for further information on this.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.