SMTP Diagnostics: How to Test and Troubleshoot Your Mail Server

SMTP: the protocol that moves emails

Simple Mail Transfer Protocol (SMTP) is the fundamental protocol for sending and transferring email over the Internet. Initially defined in RFC 821 in 1982, it has been updated multiple times up to the current RFC 5321. Despite its age, SMTP remains the universal protocol for email, supported by every mail server in the world. Understanding how it works is essential for diagnosing delivery issues and ensuring communication security.

An SMTP session is a text-based conversation between client and server. The client connects to port 25 (or 587 for submission), introduces itself with EHLO, the server responds with its capabilities, the client specifies the sender (MAIL FROM) and recipient (RCPT TO), sends the message (DATA), and closes the connection (QUIT). Every server response includes a three-digit numeric code: 2xx indicates success, 4xx a temporary error, 5xx a permanent error.

What SMTP Diagnostics tests

$ smtp-diag --server mail.esempio.com

[1/6] Connessione TCP porta 25... OK (23ms)
[2/6] Banner SMTP: 220 mail.esempio.com ESMTP Postfix
[3/6] EHLO... 250-STARTTLS, 250-AUTH, 250-SIZE 52428800
[4/6] STARTTLS... OK (TLS 1.3, ECDHE-RSA-AES256-GCM-SHA384)
[5/6] Open Relay Test... PASS (non è open relay)
[6/6] Response Time: 45ms avg

[RESULT] Server healthy, TLS attivo, non open relay

Our SMTP Diagnostics runs a comprehensive battery of tests on the mail server: it checks TCP reachability, reads the SMTP banner to identify the software, tests EHLO to enumerate supported capabilities, verifies STARTTLS support and the TLS version used, performs an open relay test, and measures response times for each phase of the connection.

STARTTLS and SMTP connection security

STARTTLS is an SMTP extension that allows upgrading a plaintext connection to an encrypted TLS connection. When a server supports STARTTLS, the client can request the upgrade before sending sensitive data. However, STARTTLS is opportunistic: if the command fails, many clients proceed in plaintext. This vulnerability is known as a downgrade attack and can be mitigated with MTA-STS Lookup, which enforces mandatory TLS connections.

To verify the quality of your server's TLS configuration, our TLS Cipher Test analyzes the supported cipher suites and identifies weak ones. A modern SMTP server should support TLS 1.2 and 1.3, with ciphers that guarantee forward secrecy (ECDHE). TLS 1.0 and 1.1 protocols should be disabled on SMTP ports as well, not just on HTTPS.

Open relay: a risk not to be underestimated

A critical test is the open relay check. An SMTP server configured as an open relay accepts email from any sender to any recipient without authentication. Spammers scan the Internet looking for open relays to send millions of spam emails through other people's servers. The consequences are immediate: the server's IP gets blacklisted, legitimate emails are rejected, and the owner may face legal liability for the spam sent.

Regularly check that your server is not an open relay with our Open Relay Test. After every change to the SMTP configuration, rerun the test. Accidental causes of open relay include: overly permissive relay rules, network trust configured on too-broad IP ranges, and software updates that reset the configuration. Prevention is much simpler than blacklist removal after an incident.

If the test detects an open relay, fix the configuration immediately. On Postfix, check smtpd_relay_restrictions. On Exchange, check the Receive Connectors. After the fix, rerun the verification test and monitor blacklists for the next 24-48 hours to make sure the IP was not flagged in the meantime.