On 01/01/2026 19:55, Grant Taylor via Xymon wrote:
Hi,
Is there a way to have Xymon monitor the TLS certificate on SMTP while using SMTP's STARTTLS verb?
I'm already monitoring the certificate on SMTPS (SMTP with implicit TLS on port 465) but I'd like to also monitor the certificate on SMTP+STARTTLS (SMTP with explicit TLS via STARTTLS verb on port 25).
I've got some weird systems where the ports aren't using the same daemon / config, as such I can't rely on both being the same.
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
You could write an extension script using openssl to get and parse the certficate, though:
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT notAfter=Nov 9 23:59:59 2026 GMT
Adam