Skip to content
Indus LeveL
smtp pop3s cisco esa syslog linux sysadmin troubleshooting

Troubleshooting Enterprise Email: SMTP, POP3S, and ESA Syslog Auditing

An expert sysadmin guide to manual SMTP debugging via Telnet, troubleshooting POP3S SSL TLS handshakes via OpenSSL, and parsing Cisco ESA syslogs for spam audits.

2 min read
Cover illustration representing enterprise email troubleshooting, SMTP telnet debugging, POP3S OpenSSL handshakes, and Cisco ESA syslog auditing

When managing enterprise email infrastructure, identifying why outgoing messages bounce or why mail clients fail to establish secure SSL/TLS connections requires low-level protocol troubleshooting.

In this guide, I will walk you through three essential sysadmin forensic techniques: manual SMTP transaction debugging via telnet, troubleshooting POP3S SSL/TLS handshakes to Microsoft Exchange using OpenSSL s_client, and parsing Cisco Email Security Appliance (ESA) syslogs to generate automated spam audit reports.

Prerequisites

You will need a Linux administrative control node with standard networking utilities (telnet, openssl), alongside access to centralized Cisco ESA syslogs (/syslog/ESA/).


Step 1: Manual SMTP Transaction Debugging via Telnet

When diagnosing mail delivery failures or testing mail transfer agent (MTA) relay permissions, executing an SMTP transaction manually through telnet allows you to observe exact server response codes.

telnet fmta.induslevel.com 25
Trying 198.51.100.25...
Connected to fmta.induslevel.com.
Escape character is '^]'.
220 fmta.induslevel.com ESMTP Postfix

Executing the SMTP Handshake

Execute the standard SMTP protocol commands to transmit a test message:

ehlo fmta.induslevel.com
mail from: wazeem@induslevel.com
rcpt to: shkhan@induslevel.com
data
Subject: Test email

Hello! This is a test email message sent from CLI with Telnet!
.
quit

Step 2: Troubleshooting POP3S SSL/TLS Handshakes via OpenSSL

When mail clients fail to authenticate with secure POP3 endpoints (port 995), telnet is unusable because it cannot negotiate SSL/TLS encryption. Use OpenSSL's s_client utility to initiate the cryptographic handshake and verify certificate trust chains.

1. Diagnosing Logon Failures

Connect to Microsoft Exchange / Office 365 POP3S and observe a failed authentication attempt:

openssl s_client -connect outlook.office365.com:995 -crlf -quiet
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
+OK The Microsoft Exchange POP3 service is ready.
user ipl.cs.otrs@innovative-pk.com
+OK
pass IncorrectPassword
-ERR Logon failure: unknown user name or bad password.

2. Verifying Successful Authentication

Re-initiate the session supplying correct credentials to verify successful mailbox access:

openssl s_client -connect outlook.office365.com:995 -crlf -quiet
+OK The Microsoft Exchange POP3 service is ready.
user wazeem@induslevel.com
+OK
pass CorrectPassword
+OK User successfully logged on.

Step 3: Forensic Cisco ESA Syslog Auditing (sable-tracker.sh)

When malicious senders attempt to spoof internal financial alerts (such as credit card statements), you can parse Cisco ESA syslogs to extract compromised source IPs, correlate target recipient addresses, and transmit audit reports automatically via mailx.

Create the forensic auditing script /usr/local/bin/sable-tracker.sh:

#!/bin/bash
# /usr/local/bin/sable-tracker.sh
# Forensic script to track and report credit card statement spoofing in Cisco ESA

LOGFILE="/syslog/ESA/east-esa_syslog10"
TEMP_CSV="/home/wazeem/sable.csv"
REPORT_CSV="/home/wazeem/sable-report.csv"

# 1. Extract all MIDs associated with credit card statement phishing attempts
cat $LOGFILE | grep 'Subject Account Statement For Credit Card' | awk '{print $8}' > $TEMP_CSV

# 2. Initialize CSV Report Header
echo "SourceIP,RecipientAddress,Status" > $REPORT_CSV

# 3. Loop through each MID to correlate Source IP, Recipient, and Action Status
for MID in $(cat $TEMP_CSV)
do
    # Find Ingress Target Recipient Address
    RecipientAddress=$(cat $LOGFILE | grep $MID | grep 'To: ' | awk '{print $14}')
    
    # Find Ingress ICID
    ICID=$(cat $LOGFILE | grep $MID | grep Start | awk '{print $11}')
    
    # Find Source IP of Ingress ICID
    SourceIP=$(cat $LOGFILE | grep $ICID | grep New | awk '{print $15}')
    
    # Find ESA Response Status (Delivered, Bounced, Dropped)
    Status=$(cat $LOGFILE | grep $MID | egrep "Response")
    
    # Append correlated data to CSV report
    echo "$SourceIP,$RecipientAddress,$Status" >> $REPORT_CSV
done

# 4. Transmit audit report via mailx
echo "Forensic email security audit report attached." | mailx -a $REPORT_CSV -s "Security Audit: Credit Card Statement Phishing Attempts" -r security-audit@induslevel.com security-audit@induslevel.com

References

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.