Hi Adam
If not tried then try:
Test certificate on Port 587
This setup verifies SMTP functionality and the TLS certificate used by Postfix on port 587 (submission with STARTTLS).
1. Xymon SMTP + TLS certificate test (recommended)
analysis.cfg
SMTP mail.example.com 587 STARTTLS WARNDAYS=30
What this checks:
SMTP banner and protocol response
STARTTLS negotiation
TLS certificate validity
Certificate expiration (warning 30 days before expiry)
Hostname/FQDN match (CN / SAN)
Br. Jesper - DK
-----Oprindelig meddelelse-----
Fra: Adam Thorn via Xymon <xymon@xymon.com>
Sendt: 2. januar 2026 13:27
Til: xymon@xymon.com
Cc: Adam Thorn <user-f6b877930936@xymon.invalid>
Emne: [Xymon] Re: SMTP+STARTTLS
On 01/01/2026 19:55, Grant Taylor via Xymon wrote:
Hi,
Is there a way to have Xymon monitor the TLS certificate on SMTP while
using SMTP's STARTTLS verb?
I'm already monitoring the certificate on SMTPS (SMTP with implicit
TLS on port 465) but I'd like to also monitor the certificate on
SMTP+STARTTLS (SMTP with explicit TLS via STARTTLS verb on port 25).
I've got some weird systems where the ports aren't using the same
daemon / config, as such I can't rely on both being the same.
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
You could write an extension script using openssl to get and parse the certficate, though:
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT
notAfter=Nov 9 23:59:59 2026 GMT
Adam