Using OpenSSL to verify a security certificate for an email server

You can use an OpenSSL s_client -connect command to check a certificate on a remote server by specifying the remote system in the form x.x.x.x:port where x.x.x.x is the IP address of the remote system and port is the relevant port or you can use the fully qualified domain name (FQDN) in place of the IP address. E.g., I used the command below to check the status of a certificate I obtained from Let's Encrypt, a "certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites." The server I checked functions as a POP3S server using port 995, so that was the port I specified.

Hide.me 25% discount
$ openssl s_client -connect pop3.moonpoint.com:995
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=support.moonpoint.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISA0LlJ8LrKl5QWJNTuUFzBVR6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MTMwMDMxMDBaFw0x
NjA5MTEwMDMxMDBaMCAxHjAcBgNVBAMTFXN1cHBvcnQubW9vbnBvaW50LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2JzmsFeHvqt/VD1KjvYUss
0k4zfN2qLW5/nXcgoGMNdpKh/8kur3660SFNtdMAvCXZk33pfeS7FsgFTife5ZjD
Uprp4iP6OAA1zAxM/WJ4J9hd4RX3XdfOjumIbPZF7ubc4GHIiJvtDZH/VvNgG3oV
3G156ltvhR6pjuyfOouSMsAyF1/RjtGggWRKavM73LZ3tnSdXAa3LZ4wsQtKsGyo
U+AIJix81q+6fv2peQYYhYQ34i8+gNREaIE0GaeFo/2b1mLE+ds9OLxFy1aTcP4R
+NvbwiZHdpVXvsXJmhSek+CWwyBDOFDtmQS4kuw9GGG+hWUw/2Uo2LK2+ECGGecC
AwEAAaOCAnQwggJwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhCuG3XVreHE8ex2v
KXgFYQO5EIswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB
BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wfgYDVR0RBHcwdYISaW1hcC5tb29ucG9pbnQuY29tgg1tb29u
cG9pbnQuY29tghJwb3AzLm1vb25wb2ludC5jb22CEnNtdHAubW9vbnBvaW50LmNv
bYIVc3VwcG9ydC5tb29ucG9pbnQuY29tghF3d3cubW9vbnBvaW50LmNvbTCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAuAersicmQ//mmDZp+TonL
YdopelHfChTiX+oI1vtcLO6h0TkEn1VPPC0aKkVwct3/ZxLmSJDkpllUuAkePauj
oY+J5ruEnX1cBmwyHzTaA6uM+DWPGc0EHPaxs5hRsAFTC9RSzVRikL4aTfhoDpUo
1ZHbfOI+8X8h8Y6LXPPjH2Z0zBzlUouBBCpMcNn4Bdpm/BqdNYGz2Sce43AQDOuh
zH33kJfeZMnAITP6O5rIaT021jPn2ZfXkbcne6+QF4j/R8iCmFCyt6fMjuD6dGad
H0A3o0RxmGimr3t7zA+IrGybjwvfwaJVCBEEd2txsrlpqBHbPnM6OtdS0Ca7k+dt
-----END CERTIFICATE-----
subject=/CN=support.moonpoint.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3268 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: B4BF64DA7C5405A704622F4DEDA01608486D155438C2F6A2ECD5C01D590D7DEA
    Session-ID-ctx: 
    Master-Key: 50A497DFBFCF75212A9B4B7E4FDFC03AC1D7EA64F6CC634616BB4A2E0DC8D45A
95F33B33AA671C8D173806071C04538F
    Key-Arg   : None
    Start Time: 1465783418
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
QUIT
DONE
$

When the remote server, which is using the open-source Dovecot software responded with "+OK Dovecot ready", I entered QUIT and hit Enter which caused the server to respond with DONE, returning me to the shell prompt.

For a Post Office Protocol version 3 (POP3) server, I could also connect to the standard POP3 port, TCP port 110, to check the certificate with the command openssl s_client -connect pop3.moonpoint.com:110 -starttls pop3. E.g.:

Generic Category (English)120x600
$ openssl s_client -connect pop3.mail.com:110 -starttls pop3
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thaw
te, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail.co
m
   i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIQbYGFE3wE0G7bEO1NIeFHczANBgkqhkiG9w0BAQsFADBB
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwOTE1MDAwMDAwWhcNMTYxMDAzMjM1OTU5
WjByMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMRUwEwYDVQQH
DAxDaGVzdGVyYnJvb2sxHjAcBgNVBAoMFTEmMSBNYWlsICYgTWVkaWEgSW5jLjEV
MBMGA1UEAwwMcG9wLm1haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA4lRYBBfHoQui8D6SKWRPD+8txnGtPp5sLTEpx/d2Ne043illvu64ml4Y
7Z4xCK0lO9VVSXMKymHwope7k3By3K3ykL+3No8stdBRYNbKIIds7oxpyf81RuEc
4tP7SKmBFkWSGZT2I4VV+jLqyrIBaualPijfpls3lUhMdSQiy5czqSRAFeLK9PyS
BUx8q5e+WfR3aP6Y/l3T7jgqAgJHYud/n3yKhyTkF1/5gwuZTEHL0CJ28MF2dob8
ewJtf+z9dcXZkzxFTE5DuRkeCGPjfps3yW0+c3+BW8DF+tjb1iJPmC9WDnc3Eyo1
Wnn3Lb6AhoFzCNdgVJn7E4qooNSlIwIDAQABo4IBbjCCAWowFwYDVR0RBBAwDoIM
cG9wLm1haWwuY29tMAkGA1UdEwQCMAAwbgYDVR0gBGcwZTBjBgZngQwBAgIwWTAm
BggrBgEFBQcCARYaaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9jcHMwLwYIKwYBBQUH
AgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB
/wQEAwIFoDAfBgNVHSMEGDAWgBTCT0hX/NFPmsBdOH0OBdvZLrVSYDArBgNVHR8E
JDAiMCCgHqAchhpodHRwOi8vdGouc3ltY2IuY29tL3RqLmNybDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB
hhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGouc3lt
Y2IuY29tL3RqLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAGfQTfujr2aIEE0iEgT0P
2qYJCOYdvteFh3i+3xG0css5vdvaMpMOEd/apepwd7/cyLk8eOg82pAEmnfNSak6
HR42vz+BjicrnSfUeZyRimP+p0q+ZtW9Fdpd+jfJhLQ1aKiAnJXn7+70W7JmSqwN
DmrPErzRqCjkO2JRigGWvQyp2UFwPkDL1+PLzxoQe1D+yKl9hgnrqojRKk9iNIVE
tZbYXMtGMX46/EpLm3V8Bm8pgFhptb8ZfE/ORkVerYlVJqYQY7bE2MKIrLEYyiM8
lEHGx3iewMmHkBVKVIC+LILs6UGtgJNCtKAPuMp+6OFAiaJ+04jrfpEMlMZOgfOx
gQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail
.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4515 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 22D441610C1A9440FEDFAFA72855D208D086CEBE3B80DB28799AB6870D91B7EC
    Session-ID-ctx: 
    Master-Key: 4C8B9FF56002F49EB505BBBFEB1D7258A25CA12E4CCA97F7A892F40FBB386941
F3C79DCF28D22ACCCD6EC6CD137FDB49
    Key-Arg   : None
    Start Time: 1465868919
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK POP server ready H migmxus003 0MQgmS-1b0Cwh38cn-00UCz6
QUIT
DONE
$

The arguments to the command have the following meaning:

s_client         This implements a generic SSL/TLS client which can establish
                 a transparent connection to a remote server speaking SSL/TLS.
                 It's intended for testing purposes only and provides only
                 rudimentary interface functionality but internally uses
                 mostly all functionality of the OpenSSL ssl library.

-connect host:port - who to connect to (default is localhost:4433)

-starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.

For other options see the openssl man page.

A similar command can be used to check a Simple Mail Transfer Protocol (SMTP) server using port 25, instead, and specifying smtp for the protocol. E.g.:

$ openssl s_client -connect smtp.mail.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thaw
te, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=smtp.mail.c
om
   i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
 Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIQHU09xWQDto3heSOj82RKPzANBgkqhkiG9w0BAQsFADBB
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwOTE1MDAwMDAwWhcNMTYxMDAzMjM1OTU5
WjBzMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMRUwEwYDVQQH
DAxDaGVzdGVyYnJvb2sxHjAcBgNVBAoMFTEmMSBNYWlsICYgTWVkaWEgSW5jLjEW
MBQGA1UEAwwNc210cC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALUHm+BGVHDd0lVidH9nl5fvN2pw4JR1BlO/lpp/3Py2trd6sn0q9Ki2
os4tEx9TVVhLQ/BZ/eKj0P56TMEb+jqCBqpTYwfp7Mgt+oxq0LgOKzijITyLFiXP
pNm7iVMKl4HwQWGKA95lTOOxxm4AqAsVbIfB+UiLdai9m9BmfUOiZ3hF+Uqv8dsj
W8ip+iYSVB59UsUlQCNZnI/8XF0Y89YRWEEnuvgo/p3N/knoqVEPNulx2Qdk5x0x
KGMIKkineAhVeU3wSgt4DRjBOwxhVsyuSZ7TqlTY1U+meOPdzPttilTt8i6FYhXM
mvbbMTGVy+umXcg0PT/EACLrjMGWIQsCAwEAAaOCAW8wggFrMBgGA1UdEQQRMA+C
DXNtdHAubWFpbC5jb20wCQYDVR0TBAIwADBuBgNVHSAEZzBlMGMGBmeBDAECAjBZ
MCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUuY29tL2NwczAvBggrBgEF
BQcCAjAjDCFodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkwDgYDVR0P
AQH/BAQDAgWgMB8GA1UdIwQYMBaAFMJPSFf80U+awF04fQ4F29kutVJgMCsGA1Ud
HwQkMCIwIKAeoByGGmh0dHA6Ly90ai5zeW1jYi5jb20vdGouY3JsMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUH
MAGGE2h0dHA6Ly90ai5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly90ai5z
eW1jYi5jb20vdGouY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQCT6eRxtQFUE4oUrOnr
eY1giBw+ayE3BYPyHMtPDmzqqL7Xz7EaiD/HM95FZ48WWFlw0AlRBCTROUlVCP1i
iJouX3kskFkxsBqGyHTn1jd4BMPYKkGAea1pQqIzO84FXVxI1gBpKtMfNzEE6qu+
fgtL3ITF7u8qLwwEQPC1of2FW2jDttgUODG8hmNBq6R/3DoCXfR5JAn+lZ81yrN6
gwopS9groNLfkJED/lR3AqR+UKaBcwyU+TK48SpuIzNho57vuNCs+9Lf2zlQsz+X
b8vjkCZxq3X8nTuYPvGr83unM4W5sKqkJEqsOepW26fg7N154ATbmhZnyfh/Z3ol
dks3
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=smtp.mai
l.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4603 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7A47C2F2A9120FBECED058512B0CFA36E421D6C647C0120633F70C79E257F99D
    Session-ID-ctx: 
    Master-Key: CE4E352B1B3CECB16A6C4BE262769931F5A775B0EBAFCE1E36D6BA0BA5B0A0CA
63079B65568F540C711100A11DCDBA30
    Key-Arg   : None
    Start Time: 1465869300
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 STARTTLS
QUIT
DONE

Again, you can type QUIT at the last line from the server to be returned to the shell prompt.