How to validate SMTP server's SSL/TLS certificate using java mail API?

Question

We are adding a functionality to send email through SMTP. Basically, when the user tries to add and save the SMTP server details through UI, I will need to validate the server's certificate. I could get the "sending mail" code done; there are enough number of examples :) However, I'm trying to see if there is any way to get the certificate details from the SMTP server and validate at client side using java mail API; I can see the Transport.connect() method implicitly validates the server certificate,but i'm trying to understand if there is any explicit way of doing it. In short, these are the 2 things i'm trying to achieve:

1) Get the SLL/TLS certificate from the server and prompt the user with relevant details(like, whether the certificate is valid). 2) If the certificate is not valid, provide the option to add it to the key store.

Any hints to get this done through java mail API would be appreciated.

Answer 1

You can use openssl to get server certificates for SSL/TLS or STARTTLS.

For SSL/TLS:

openssl s_client -connect smtp.gmail.com:465 -CApath /etc/ssl/ </dev/null

For STARTTLS:

openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587 -CApath /etc/ssl/ </dev/null

I don't know how to do this using the Java Mail API, but perhaps you can use an openssl wrapper for Java to execute the calls equivalent to the those in the command lines above.