When enabling Opportunistic Transport Layer Security (TLS) mode, the MTA servers initially check if sending or receiving can perform SMTP transaction in TLS mode. If so, the entire session and process will be done in TLS mode.
IMSS and IMSA TLS support:
|IMSVA 9.0||With patch1 or later||Supports TLS v1.0/1.1/1.2|
|IMSVA 9.1||From GM Build||Supports TLS v1.0/1.1/1.2|
|IMSS 7.5 Windows||With patch1 or later||Supports TLS v1.0/1.1/1.2|
|IMSS 7.1 Linux||Any||Postfix was provided by users|
IMSS and IMSVA SMTP TLS support v1.0, v1.1 and v1.2. In opportunistic mode, it will always try to use the higher TLS version to communicate with sending or receiving MTA.
If the sending or receiving MTA only supports TLS 1.0, IMSS or IMSVA will use TLS 1.0 to communicate with the sending or receiving MTA.
The Administrator can use the following to identify the highest TLS version that their MTA supports:
If the MTA can be accessed through the internet, the Administrator can use www.checktls.com website to check their MTA's TLS version.
- Open www.checktls.com website.
Access email > test TO:
Click image to enlarge
On the newly opened URL, http://www.checktls.com/perl/live/TestReceiver.pl, provide the test mail address and MTA info.
For example, the following shows that the TLS status to test is for MTA 126.96.36.199:
- Click Run Test to start testing.
Check the SSLVersion info in the result.
For example, "SSLVersion in use: TLSv1.2" indicates that this MTA supports the highest TLS version which is v1.2
If the MTA could not be accessed through the internet, the Administrator can use the local OpenSSL to check the MTA's supported TLS version directly.
Run the following via the Command line:
openssl s_client -connect MTA:port -starttls smtp
For example, the following is the command used for checking the TLS version for MTA 192.168.50.91:
openssl s_client -connect 192.168.50.91:25 -starttls smtp
Result contains "Protocol : TLSv1.2", this indicates that MTA 192.168.50.91 supports the highest TLS version which is v1.2.