Querying Target SMTP Server for Expected Certificates

To configure your SMTP server correctly, you first need to obtain the certificate chain that the SMTP server expects. This guide will walk you through the steps to retrieve and import the necessary certificates.

Obtain the Certificate Chain

The preferred way to obtain the certificate chain is from service mode on the SMS that is being configured. However, any Linux system on the same network should yield the same results.

Access the Linux box or the SMS and, as root, issue the following command:

openssl s_client -connect smtp.gmail.com:587 -starttls smtp -tls1_2

This command will return the certificate information for the connection to the smtp server.

Scroll up to the portion titled “Certificate chain” to see the details of the chain that the server expects to authenticate against. Here is an example output from a test machine:

In this case, the necessary certificates for the chain are the GTS Root R1 and WR2. Your output may vary.

Download and Import the Certificates

Download the relevant certificates from the Google PKI Repository.

Next, import them into the SMS Client:

SMS Client > Admin > Certificate Management > CA Certificates > Import

You should see a screen similar to the one above (note that it may take some time for the status to go to valid).

Configure and Test the SMTP Server Settings

Select your certificate (in this test case, it is WR2) in the SMTP server settings:

Fill out the rest of the settings. Note that the documentation for both Gmail and Google Workspaces indicates the possible need to use an app-specific password, which is separate from the normal password used to access the account for an application such as this.

Once configured, you should be able to hit Test and get a response similar to:

You should also receive an email that contains something like this:

Summary

Following these steps enables administrators to verify the certificate chain expected by smtp.gmail.com, find and import the necessary certificates into the TippingPoint SMS, and configure SMTP settings to allow for the secure transmission of mail through TLS.