SSL Certificates Using STARTTLS For SMTP

CertAlert finds and monitors certificates used with HTTPS, SMTPS, LDAPS, POP3S, IMAPS etc. It will also discover and monitor SSL/TLS certificates used with the STARTTLS SMTP extension as described in RFC 3207.


Typically SMTP operates over an unsecured network connection. However, it is possible to run SMTP over a secured connection. There are two ways this can be setup: SMTPS and STARTTLS SMTP. With SMTPS, the SMTP protocol runs over the TLS protocol and knows nothing about the underlying secured transport layer. When SMTPS is used, the TLS connection must be setup before the applications can talk to each other over the SMTP layer. With STARTTLS SMTP, the server is able to offer TLS to the client as part of the SMTP negotiation by sending the STARTTLS command. The client can then agree to use TLS by sending a STARTTLS response. Once this exchange has taken place, the TLS connection is setup and all subsequent SMTP commands are over the TLS secured connection.

How CertAlert Discovers And Monitors STARTTLS SMTP Certificates

By default, CertAlert comes pre-configured to find STARTTLS SMTP certificates on the default ports used by this protocol (ports 25 and 587). If CertAlert can't obtain the certificate through an initial TLS handshake, it will switch to negotiating TLS using the STARTTLS command. It's easy to check other ports for STARTTLS SMTP, all you need to do is specify the ports in the config file. An example is given below that checks the default ports 25 and 587 and also ports 465 and 495.

<--Identify ports to check with STARTTLS -->
<add key="SmtpStartTlsPorts" value="25,587,465,495"/>