{"id":15722768,"url":"https://github.com/jbouwh/smtp-starttls-ciphers","last_synced_at":"2026-07-04T06:32:14.792Z","repository":{"id":113343339,"uuid":"402423687","full_name":"jbouwh/smtp-starttls-ciphers","owner":"jbouwh","description":"Script to test the MTA ciphers supported","archived":false,"fork":false,"pushed_at":"2021-10-06T15:55:12.000Z","size":46,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-31T00:15:19.868Z","etag":null,"topics":["ciphers","openssl","smtp","tls13-support"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jbouwh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-02T13:06:49.000Z","updated_at":"2021-10-06T15:55:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"90d09a01-1496-4c9c-8b25-3966b81b3f73","html_url":"https://github.com/jbouwh/smtp-starttls-ciphers","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/jbouwh/smtp-starttls-ciphers","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbouwh%2Fsmtp-starttls-ciphers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbouwh%2Fsmtp-starttls-ciphers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbouwh%2Fsmtp-starttls-ciphers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbouwh%2Fsmtp-starttls-ciphers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jbouwh","download_url":"https://codeload.github.com/jbouwh/smtp-starttls-ciphers/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbouwh%2Fsmtp-starttls-ciphers/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35112704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-04T02:00:05.987Z","response_time":113,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ciphers","openssl","smtp","tls13-support"],"created_at":"2024-10-03T22:09:16.638Z","updated_at":"2026-07-04T06:32:14.774Z","avatar_url":"https://github.com/jbouwh.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# smtp-starttls-ciphers\nBASH script to test the MTA ciphers supported based on the [NCSC security guidelines for TLS](https://www.ncsc.nl/documenten/publicaties/2021/januari/19/ict-beveiligingsrichtlijnen-voor-transport-layer-security-2.1) (Dutch)\n\nRequires a linux environment with openssl and tls 1.3 support. WSL on Windows is also supported.\n\nThis script is only intended to ensure the correct ciphers are available. This scripts does not test the protocols SSL2/SSL3 or the correct sequence of the cipers.\nA good way for cipher and protocol complicancy is using the mail test at [internet.nl](https://internet.nl).\n\nThe following ciphers are tested (note that TLS 1.3 is only tested generally):\n\n#### GOOD:\n\n- ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]\n- ECDHE-ECDSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]\n- ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]\n- ECDHE-RSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]\n- ECDHE-RSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]\n- ECDHE-RSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]\n\n#### SUFFIENT:\n\n- ECDHE-ECDSA-AES256-SHA384 [1.2]\n- ECDHE-ECDSA-AES256-SHA [1.0]\n- ECDHE-ECDSA-AES128-SHA256 [1.2]\n- ECDHE-ECDSA-AES128-SHA [1.0]\n- ECDHE-RSA-AES256-SHA384 [1.2]\n- ECDHE-RSA-AES256-SHA [1.0]\n- ECDHE-RSA-AES128-SHA256 [1.2]\n- ECDHE-RSA-AES128-SHA [1.0]\n- DHE-RSA-AES256-GCM-SHA384 [1.2]\n- DHE-RSA-CHACHA20-POLY1305 [1.2]\n- DHE-RSA-AES128-GCM-SHA256 [1.2]\n- DHE-RSA-AES256-SHA256 [1.2]\n- DHE-RSA-AES256-SHA [1.0]\n- DHE-RSA-AES128-SHA256 [1.2]\n- DHE-RSA-AES128-SHA [1.0]\n\n#### FASE OUT:\n\n- ECDHE-ECDSA-DES-CBC3-SHA [1.0]\n- ECDHE-RSA-DES-CBC3-SHA [1.0]\n- DHE-RSA-DES-CBC3-SHA [1.0]\n- AES256-GCM-SHA384 [1.2]\n- AES128-GCM-SHA256 [1.2]\n- AES256-SHA256 [1.2]\n- AES256-SHA [1.0]\n- AES128-SHA256 [1.2]\n- AES128-SHA [1.0]\n- DES-CBC3-SHA [1.0]\n\n## Install\n- Copy the the `starttls-ciphers` script to your system.\n- Make sure the script is executable: `chmod +x starttls-ciphers`\n\n## Usage\n- Determine the hostname or IP address of MTA you want to test, e.g.: `dig -t mx example.com` or `nslookup -type=mx example.com`\n- Pick the host with the lowest order number: `mx.example.com`\n- You can also use the `getmx` script to get the preferred MTA\n- Run the script in the current dir (as user): `./starttls-ciphers mx.example.com` or use `getmx` and run `./starttls-ciphers \\`./getmx example.com\\``\n- If you would like the output in CSV, add the `-csv` as second attribute: : `./starttls-ciphers mx.example.com -csv`\n- You should get a result like below:\n\n![image](https://user-images.githubusercontent.com/7188918/131850223-0a237cc9-b7a5-46cd-9a98-f3e8c66be8b1.png)\n\n## Docker support\nA Dockerfile is added to be able to use the tools from a Docker container.\n\nA public build is available for the x64 platform:\n- docker pull jbouwh/openssl-test\n\nTo build on another platform (takes some time):\n- docker build . -t jbouwh/openssl-test\n\nTo use (interactive shell):\n- docker run -it --rm jbouwh/openssl-test\n\nTo use (directly):\n- docker run -it --rm jbouwh/openssl-test starttls-ciphers \\`getmx example.com\\`\n\n###  dane-check\n\nA bonus is the `dane-check` script that verifies the DANE setup for MTA.\n\nUse the command in the form `./dane-check smtp.example.com` to validate DANE.\n\n\u003e Note that only TLS 1.2 or TLS 1.3 are advised protocols to use regardless of the used ciphers.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbouwh%2Fsmtp-starttls-ciphers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjbouwh%2Fsmtp-starttls-ciphers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbouwh%2Fsmtp-starttls-ciphers/lists"}