Most people check SSL on their web server and call it done. But if you run your own mail server — or manage email for a company — the SMTP, IMAP, and POP3 connections are equally exposed. Email transmitted without encryption can be intercepted in transit, and an expired or misconfigured certificate on a mail server will cause email clients to throw errors or silently fall back to unencrypted connections.
Testing Email SSL/TLS on Windows
Windows
PowerShell / OpenSSL
Method 1: OpenSSL on Windows (Identical to Linux)
After installing OpenSSL (winget install ShiningLight.OpenSSL), the same openssl s_client commands work on Windows:
:: Test SMTP with STARTTLS
openssl s_client -connect mail.yourdomain.com:587 -starttls smtp
:: Test SMTP with direct TLS (port 465)
openssl s_client -connect mail.yourdomain.com:465
:: Test IMAP with STARTTLS
openssl s_client -connect mail.yourdomain.com:143 -starttls imap
:: Test IMAP with direct TLS (port 993)
openssl s_client -connect mail.yourdomain.com:993
:: Test POP3 with direct TLS (port 995)
openssl s_client -connect mail.yourdomain.com:995
Method 2: PowerShell SMTP TLS Test
# Test SMTP connection and TLS handshake via PowerShell
$smtp = "mail.yourdomain.com"
$port = 587
$tcp = New-Object System.Net.Sockets.TcpClient($smtp, $port)
$stream = $tcp.GetStream()
$reader = New-Object System.IO.StreamReader($stream)
$writer = New-Object System.IO.StreamWriter($stream)
$writer.AutoFlush = $true
# Read greeting
$greeting = $reader.ReadLine()
Write-Host "Server: $greeting"
# Send EHLO
$writer.WriteLine("EHLO testclient")
Start-Sleep -Milliseconds 500
while ($stream.DataAvailable) { Write-Host $reader.ReadLine() }
# Send STARTTLS
$writer.WriteLine("STARTTLS")
$response = $reader.ReadLine()
Write-Host "STARTTLS response: $response"
# Upgrade to TLS
if ($response -match "^220") {
$ssl = New-Object System.Net.Security.SslStream($stream)
$ssl.AuthenticateAsClient($smtp)
Write-Host "TLS handshake succeeded"
Write-Host "Protocol: $($ssl.SslProtocol)"
Write-Host "Cipher: $($ssl.CipherAlgorithm)"
}
$tcp.Close()
Method 3: Telnet on Windows (Basic Connectivity)
:: Enable Telnet (Windows feature, disabled by default):
:: Control Panel → Programs → Turn Windows Features On or Off → check Telnet Client
:: OR via PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient
:: Test basic connectivity (no TLS):
telnet mail.yourdomain.com 25
telnet mail.yourdomain.com 587
:: After connecting, you should see the SMTP greeting. Type EHLO test to see capabilities.
Telnet won't test TLS directly — it can only verify TCP connectivity. Use OpenSSL on Windows for actual TLS testing. The PowerShell method above is the cleanest Windows-native approach for STARTTLS testing.
Testing Email SSL/TLS on macOS
macOS
Terminal
macOS includes LibreSSL in Terminal — the commands are identical to Linux. For STARTTLS support, install full OpenSSL via Homebrew:
# Install OpenSSL for STARTTLS support (macOS LibreSSL may lack -starttls flag)
brew install openssl
OPENSSL=/opt/homebrew/opt/openssl/bin/openssl
# Test SMTP with STARTTLS
$OPENSSL s_client -connect mail.yourdomain.com:587 -starttls smtp
# Test IMAP TLS
$OPENSSL s_client -connect mail.yourdomain.com:993
# Verify the certificate presented matches your mail domain
$OPENSSL s_client -connect mail.yourdomain.com:465 2>/dev/null | \
openssl x509 -noout -subject -dates
# Check which TLS version is negotiated
$OPENSSL s_client -connect mail.yourdomain.com:465 2>/dev/null | grep "Protocol"
macOS Mail.app uses the system TLS stack automatically. If you're debugging why Mail.app shows a certificate warning, check the certificate details by clicking the lock icon in the email connection error dialog, or check Console.app for Secure Transport errors.