See this post by koppor on serverfault.com:
http://serverfault.com/questions/521425/exim4-is-showing-a-tls-error-on-connection-gnutls-handshake
If that site or link goes away, here are the gory details:
apt-get install gnutls-bin to have gnutls-cli available. gnutls-cli -s -p 25 YOURSMTPHOST (starts a session with your mailserver) ehlo foo starttls Press CTRL+d (^d)
This one works as well:
Thanks to Dan Andreatta, and Skyhawk (for the edits):
http://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate
Again, in case that goes away:
openssl s_client -connect mail.example.com:25 -starttls smtp or standard secure smtp openssl s_client -connect mail.example.com:465
If you need the dates of the cert expiry:
openssl s_client -connect mail.server.name:25 -starttls smtp | openssl x509 -noout -subject -dates; echo "" quit openssl s_client -connect mail.server.name:993 | openssl x509 -noout -subject -dates; echo "" quit openssl s_client -connect mail.server.name:995 | openssl x509 -noout -subject -dates; echo "" quit
Bonus: Check for website subject alternative name
openssl s_client -connect website.com:443 | openssl x509 -noout -ext subjectAltName ; echo "" quit