Using the openssl command to troubleshoot POP3S

Learning that lasts. Online courses from $14.99
I received a call from someone today reporting that he could no longer check email for his Verizon email account using Thunderbird on his Apple laptop. He reported that he was getting a message indicating that authorization was failing. He had the same problem a few days ago and had contacted Verzon support then. The Verizon support person he talked to reset his password. He was able to check his email afterwards through the webmail interface Verizon provides to its users through webmail.verizon.net, but the same password was not working with Thunderbird. I connected to his system via TeamViewer and verified that the userid and password that was working through the webmail interface was not working when used in Thunderbird. I verified that the email settings in Thunderbird matched what Verizion recommended, though he had been using those settings successfully for a long time, so they should have been working today. The settings inside Thunderbird were as follows:

POP3: pop.verizon.net (port 995, SSL/TLS, normal password)
SMTP: smtp.verizon.net (port 465, SSL/TLS, normal password)

When the problem occurred a few days ago, I called the Verizion support number shown below and the support person I talked to reset the password for the account and then I reset the password. When a similar problem occurred with the user's account over a month ago, I was told that when a Verizon support person resets the password the password is only good for a couple of hours and the user must reset it again himself/herself before the password expires. After the Verizion support person reset the password and I reset it again for the user, I was able to use the password the user had previously been using, since that's what I reset the password to be.

Verizion support: 1-800-837-4966

This time when the user reported the problem to me, I wasn't able to initiate any troubleshooting activity for a couple of hours. When I was able to troubleshoot, I used the openssl utility from a Linux system to troubleshoot - the tool is also available on OS X systems. Since the connection Thunderbird would use would be to the POP3S port, port 995 on the Verizion POP3 server, I used the command openssl s_client -connect pop.verizon.net:995 -quiet, which allowed me to establish a connection to the POP3 server on port 995, the Post Office Protocol 3 over TLS/SSL (POP3S) port. When I received the "+OK POP3 ready" prompt from the Verizion POP3S server, I issued the POP command user userid and hit Enter. When the server responded with an "+OK" indicating it had accepted the userid, I entered pass password where password was the user's password. That was accepted, too. I.e., I didn't see the authorization error message the user reported indicating the server was rejecting the userid and password combination from Thunderbird. I then entered the stat command for statistics on the email on the server for the user's account. The server responded with "+OK 1 17659" indicating he had only one email message on the server which was 17,659 bytes in length. I then issued the QUIT command to terminate the connection to the server.

$ openssl s_client -connect pop.verizon.net:995 -quiet
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU = Cybertrust
, CN = Verizon Public SureServer CA G14-SHA2
verify return:1
depth=0 C = US, ST = Texas, L = Irving, O = Verizon Data Services LLC, OU = VZAO
, CN = pop.verizon.net
verify return:1
+OK POP3 ready
user johndoe
+OK
pass maryslamb11
+OK Maildrop ready
stat
+OK 1 17659
quit
+OK
$

If I wanted to see the contents of the email, I could have issued the command RETR msg, to retrieve the message, where msg is the number of the email message, i.e., RETR 1 in this case, since there was only one email on the server for the user. Or I could have used the TOP command to retrieve just a portion of the message. The syntax for the command is TOP msg n where msg is the message number and n is the number of lines to view from the message. E.g., TOP 1 10 to see only the first 10 lines of the message. E.g., I might want to view only the header lines of the message to see the sender, subject, and time the message was sent.

When I called the user to inform him that I was ready to initiate troubleshooting from his system, he told me that the problem had gone away, so I don't know whether it was due to an issue on his system or on the Verizon server. But, if you want to troubleshoot POP3S connections to a Verizon or other provider's POP3 server on port 995, i.e., POP3S, you can use the openssl command to perform troubleshooting activities from a command, i.e., shell prompt.

You should have the OpenSSL software on a Mac OS X system by default. If you don't have it installed on a Linux system, it is provided by the openssl package, which can be installed with yum install openssl on a CentOS Linux system or sudo apt-get install openssl on an Ubuntu Linux system. You can see if it is already installed with the which command.



Generic Category (English)120x600

$ which openssl
/usr/bin/openssl
$

If you don't include the -quiet option to the command, you will see a lot more information as shown below:

$ openssl s_client -connect pop.verizon.net:995
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU = Cybertrust
, CN = Verizon Public SureServer CA G14-SHA2
verify return:1
depth=0 C = US, ST = Texas, L = Irving, O = Verizon Data Services LLC, OU = VZAO
, CN = pop.verizon.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=VZAO/CN=pop.verizon.
net
   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon P
ublic SureServer CA G14-SHA2
 1 s:/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=VZAO/CN=pop.verizon.
net
   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon P
ublic SureServer CA G14-SHA2
 2 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon P
ublic SureServer CA G14-SHA2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 3 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhjCCBG6gAwIBAgIUESjzN7IweX34zOs0RBvch/PGUswwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gUHVibGljIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTIwHhcNMTYwMTIyMjI1MDQyWhcNMTgwMTIyMjI1MDM4WjB7MQswCQYDVQQGEwJV
UzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBklydmluZzEiMCAGA1UEChMZVmVy
aXpvbiBEYXRhIFNlcnZpY2VzIExMQzENMAsGA1UECxMEVlpBTzEYMBYGA1UEAxMP
cG9wLnZlcml6b24ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
5KFXybvjW5iYOT0QWAk0DFE4J3owxws0bSVRNiIOGiwMeERFY1S08oQU/khg9LC4
d7n71yY1iyehoKpmdRpeO0MQ8dwd9Rt1CWDgf7TBb9hpuisBQ/2et4NIYZF7pg3m
Bpvg+cC7u/kmtoqUAKX0Ttj2hQhoRwPLWWa+jvZqjSQ3a/85Yx5dGvFWXjOZNrXT
0FdsrS76PecdR7WCaLXe2nQU7ALaHa0+zuii5Q0fK4QAo00qyUkwtIPDwjP2Fd93
ivsDgm2/8xR4rvAIvXw7ts2qVS/2ZtvyvA+LElTCDj6nmRxtog7xODDXnstAAgbS
mUsZmTUzqQeDxUxvwQoIqwIDAQABo4IB7TCCAekwDAYDVR0TAQH/BAIwADBMBgNV
HSAERTBDMEEGCSsGAQQBsT4BMjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3NlY3Vy
ZS5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTCBqQYIKwYBBQUHAQEEgZwwgZkwLQYI
KwYBBQUHMAGGIWh0dHA6Ly92cHNzZzE0Mi5vY3NwLm9tbmlyb290LmNvbTAzBggr
BgEFBQcwAoYnaHR0cDovL2NhY2VydC5vbW5pcm9vdC5jb20vdnBzc2cxNDIuY3J0
MDMGCCsGAQUFBzAChidodHRwOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS92cHNzZzE0
Mi5kZXIwMAYDVR0RBCkwJ4IPcG9wLnZlcml6b24ubmV0ghRpbmNvbWluZy52ZXJp
em9uLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMB8GA1UdIwQYMBaAFOQtu5EBZSYftHo/oxUlpM6MRDM7MD4GA1UdHwQ3
MDUwM6AxoC+GLWh0dHA6Ly92cHNzZzE0Mi5jcmwub21uaXJvb3QuY29tL3Zwc3Nn
MTQyLmNybDAdBgNVHQ4EFgQUzX8KFr+KuoU9e8LRPs/22Lx3L5EwDQYJKoZIhvcN
AQELBQADggEBAL8NSBmaMziEmMO+FrpNPcjXfoc2r65p1zSoQPqrsGS8K8+KtZOA
lCBe46f4EvYJHVIKhA5WvJDMMI9WlnFrafN1zQZT5bTa2AQF51HJmlFsQZ/k4MQ6
OZIvHbRdXgz2L5pJv4R7ukEeAA+Ej2PvEKSaU7UJeCw2Xt2w0DM5SwTNKs/kWppS
mbRj48bisQmpyR+2FOXfyKnRjp8InVzPhYgEhfuZHi6SpJKNXxzqWPHaV9prmATa
G2z10z3zo7FOkGUN/YbW4CKXP/Y0h+x9lGeYuV2OCyEftow2vGuMG4WfhrcVi4ax
gzWrP0GiJYygCiNW6RUunvUx1By6c7Zh5dg=
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=VZAO/CN=pop.veriz
on.net
issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon
 Public SureServer CA G14-SHA2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5726 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 80B14C64A35730366E41EDD155DF30B9CAE85A5EA78C384CCB8AFCA20747BED6
    Session-ID-ctx:
    Master-Key: 6523C0CE8EC41A4BE7E325FCC583D091591FE7A9703D7B86FE80DC748B4BC894
B30C981FBB311F67182271692D8BE3D0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8e f9 2c 45 b8 fe 62 83-1b 5d a4 70 ca 78 34 1c   ..,E..b..].p.x4.
    0010 - 27 34 97 a3 3a d2 b8 37-a6 07 6c 20 87 ad f9 43   '4..:..7..l ...C
    0020 - ac 85 53 bc b8 11 81 24-b1 e4 03 63 32 91 f0 a7   ..S....$...c2...
    0030 - 10 a0 3a a3 4e 3d 8b 16-4c c5 e5 92 59 9b 54 6f   ..:.N=..L...Y.To
    0040 - 0e 31 58 80 69 3c 2f 24-df 29 53 66 f6 4b 37 fc   .1X.i</$.)Sf.K7.
    0050 - 52 4b 7d 42 43 61 09 a3-60 bb cf 54 32 f1 ff 03   RK}BCa..`..T2...
    0060 - f7 c7 b4 34 17 96 b8 85-1f 40 81 d2 81 f3 f1 d8   ...4.....@......
    0070 - be e7 61 e8 6e eb 70 a7-9d e3 66 09 7b df f8 38   ..a.n.p...f.{..8
    0080 - bc de fb 11 76 cc 1b e0-af 3d 6a e2 9d 0e 88 8a   ....v....=j.....
    0090 - 71 da d3 7e 79 ad 7a 4d-0c 25 bd 7b dd fb 9c 63   q..~y.zM.%.{...c
    00a0 - bb 47 40 1d 4f da f6 ca-7b 38 8f ff 4a c5 58 b6   .G@.O...{8..J.X.

    Start Time: 1473985213
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK POP3 ready
user johndoe
+OK
pass maryslamb11
+OK Maildrop ready
stat
+OK 2 9418
uidl
+OK unique-id listing follows
1 118150-1215018655
2 118151-1215018655
.
quit
+OK
closed
$

The uidl command is another command that will show you the number of messages currently on the server for the user. When I checked the second time, there were two messages for the user's account on the Verizion server. You can get a complete list of the commands recognized by POP3 servers at Post Office Protocol - Version 3 (POP3) servers. That document is the Requests for Comment (RFC) for the protocol. An RFC is the mechanism used by the Internet Engineering Task Force (IETF) to establish Internet standards.