HES is configured in Opportunistic Transport Layer Security (TLS) mode. In this mode, the MTA servers will initially check if the sending or receiving can perform SMTP transaction in TLS mode. If so, the entire session and process will be done in TLS mode.
HES SMTP TLS supports v1.0, v1.1 and v1.2. In opportunistic mode, it will always try to use the higher TLS version to communicate with sending or receiving MTA.
If the sending or receiving MTA only supports TLS 1.0, HES will use TLS 1.0 to communicate with the sending or receiving MTA.
The Administrator can use the following to identify the highest TLS version that their MTA supports:
If the MTA can be accessed through the internet, the Administrator can use www.checktls.com website to check their MTA's TLS version.
- Open www.checktls.com website.
Access email > test TO:
Click image to enlarge
On the newly opened URL, http://www.checktls.com/perl/live/TestReceiver.pl, provide the test mail address and MTA info.
For example, the following shows that the TLS status to test is for MTA 220.127.116.11:
- Click Run Test to start testing.
Check the SSLVersion info in the result.
For example, "SSLVersion in use: TLSv1.2" indicates that this MTA supports the highest TLS version which is v1.2
If the MTA could not be accessed through the internet, the Administrator can use the local OpenSSL to check the MTA's supported TLS version directly.
Run the following via the Command line:
openssl s_client -connect MTA:port -starttls smtp
For example, the following is the command used for checking the TLS version for MTA 192.168.50.91:
openssl s_client -connect 192.168.50.91:25 -starttls smtp
Result contains "Protocol : TLSv1.2", this indicates that MTA 192.168.50.91 supports the highest TLS version which is v1.2.