Skip to content

jbouwh/smtp-starttls-ciphers

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
dane-check
dane-check
 
 
getmx
getmx
 
 
starttls-ciphers
starttls-ciphers
 
 

Repository files navigation

smtp-starttls-ciphers

BASH script to test the MTA ciphers supported based on the NCSC security guidelines for TLS (Dutch)

Requires a linux environment with openssl and tls 1.3 support. WSL on Windows is also supported.

This script is only intended to ensure the correct ciphers are available. This scripts does not test the protocols SSL2/SSL3 or the correct sequence of the cipers. A good way for cipher and protocol complicancy is using the mail test at internet.nl.

The following ciphers are tested (note that TLS 1.3 is only tested generally):

GOOD:

  • ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
  • ECDHE-ECDSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
  • ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]
  • ECDHE-RSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
  • ECDHE-RSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
  • ECDHE-RSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]

SUFFIENT:

  • ECDHE-ECDSA-AES256-SHA384 [1.2]
  • ECDHE-ECDSA-AES256-SHA [1.0]
  • ECDHE-ECDSA-AES128-SHA256 [1.2]
  • ECDHE-ECDSA-AES128-SHA [1.0]
  • ECDHE-RSA-AES256-SHA384 [1.2]
  • ECDHE-RSA-AES256-SHA [1.0]
  • ECDHE-RSA-AES128-SHA256 [1.2]
  • ECDHE-RSA-AES128-SHA [1.0]
  • DHE-RSA-AES256-GCM-SHA384 [1.2]
  • DHE-RSA-CHACHA20-POLY1305 [1.2]
  • DHE-RSA-AES128-GCM-SHA256 [1.2]
  • DHE-RSA-AES256-SHA256 [1.2]
  • DHE-RSA-AES256-SHA [1.0]
  • DHE-RSA-AES128-SHA256 [1.2]
  • DHE-RSA-AES128-SHA [1.0]

FASE OUT:

  • ECDHE-ECDSA-DES-CBC3-SHA [1.0]
  • ECDHE-RSA-DES-CBC3-SHA [1.0]
  • DHE-RSA-DES-CBC3-SHA [1.0]
  • AES256-GCM-SHA384 [1.2]
  • AES128-GCM-SHA256 [1.2]
  • AES256-SHA256 [1.2]
  • AES256-SHA [1.0]
  • AES128-SHA256 [1.2]
  • AES128-SHA [1.0]
  • DES-CBC3-SHA [1.0]

Install

  • Copy the the starttls-ciphers script to your system.
  • Make sure the script is executable: chmod +x starttls-ciphers

Usage

  • Determine the hostname or IP address of MTA you want to test, e.g.: dig -t mx example.com or nslookup -type=mx example.com
  • Pick the host with the lowest order number: mx.example.com
  • You can also use the getmx script to get the preferred MTA
  • Run the script in the current dir (as user): ./starttls-ciphers mx.example.com or use getmx and run ./starttls-ciphers \./getmx example.com``
  • If you would like the output in CSV, add the -csv as second attribute: : ./starttls-ciphers mx.example.com -csv
  • You should get a result like below:

image

Docker support

A Dockerfile is added to be able to use the tools from a Docker container.

A public build is available for the x64 platform:

  • docker pull jbouwh/openssl-test

To build on another platform (takes some time):

  • docker build . -t jbouwh/openssl-test

To use (interactive shell):

  • docker run -it --rm jbouwh/openssl-test

To use (directly):

  • docker run -it --rm jbouwh/openssl-test starttls-ciphers `getmx example.com`

dane-check

A bonus is the dane-check script that verifies the DANE setup for MTA.

Use the command in the form ./dane-check smtp.example.com to validate DANE.

Note that only TLS 1.2 or TLS 1.3 are advised protocols to use regardless of the used ciphers.

About

Script to test the MTA ciphers supported

Topics

openssl ciphers smtp tls13-support

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

docker support Latest
Oct 6, 2021

Packages

No packages published

Languages