Archival Notice
This guide was written for legacy mail server administration and Cisco ESA AsyncOS syslog structures. Please note that modern enterprise mail providers (such as Microsoft 365) have largely deprecated basic POP3/SMTP authentication in favor of OAuth2. Please adapt authentication mechanisms and syslog parsing parameters to your active environment standards.
When managing enterprise email infrastructure, identifying why outgoing messages bounce or why mail clients fail to establish secure SSL/TLS connections requires low-level protocol troubleshooting.
In this guide, I will walk you through three essential sysadmin forensic techniques: manual SMTP transaction debugging via telnet, troubleshooting POP3S SSL/TLS handshakes to Microsoft Exchange using OpenSSL s_client, and parsing Cisco Email Security Appliance (ESA) syslogs to generate automated spam audit reports.
Prerequisites
You will need a Linux administrative control node with standard networking utilities (telnet, openssl), alongside access to centralized Cisco ESA syslogs (/syslog/ESA/).
Step 1: Manual SMTP Transaction Debugging via Telnet
When diagnosing mail delivery failures or testing mail transfer agent (MTA) relay permissions, executing an SMTP transaction manually through telnet allows you to observe exact server response codes.
telnet fmta.induslevel.com 25
Trying 198.51.100.25...
Connected to fmta.induslevel.com.
Escape character is '^]'.
220 fmta.induslevel.com ESMTP Postfix
Executing the SMTP Handshake
Execute the standard SMTP protocol commands to transmit a test message:
ehlo fmta.induslevel.com
mail from: wazeem@induslevel.com
rcpt to: shkhan@induslevel.com
data
Subject: Test email
Hello! This is a test email message sent from CLI with Telnet!
.
quit
Step 2: Troubleshooting POP3S SSL/TLS Handshakes via OpenSSL
When mail clients fail to authenticate with secure POP3 endpoints (port 995), telnet is unusable because it cannot negotiate SSL/TLS encryption. Use OpenSSL's s_client utility to initiate the cryptographic handshake and verify certificate trust chains.
1. Diagnosing Logon Failures
Connect to Microsoft Exchange / Office 365 POP3S and observe a failed authentication attempt:
openssl s_client -connect outlook.office365.com:995 -crlf -quiet
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
+OK The Microsoft Exchange POP3 service is ready.
user ipl.cs.otrs@innovative-pk.com
+OK
pass IncorrectPassword
-ERR Logon failure: unknown user name or bad password.
2. Verifying Successful Authentication
Re-initiate the session supplying correct credentials to verify successful mailbox access:
openssl s_client -connect outlook.office365.com:995 -crlf -quiet
+OK The Microsoft Exchange POP3 service is ready.
user wazeem@induslevel.com
+OK
pass CorrectPassword
+OK User successfully logged on.
Step 3: Forensic Cisco ESA Syslog Auditing (sable-tracker.sh)
When malicious senders attempt to spoof internal financial alerts (such as credit card statements), you can parse Cisco ESA syslogs to extract compromised source IPs, correlate target recipient addresses, and transmit audit reports automatically via mailx.
Create the forensic auditing script /usr/local/bin/sable-tracker.sh:
#!/bin/bash
# /usr/local/bin/sable-tracker.sh
# Forensic script to track and report credit card statement spoofing in Cisco ESA
LOGFILE="/syslog/ESA/east-esa_syslog10"
TEMP_CSV="/home/wazeem/sable.csv"
REPORT_CSV="/home/wazeem/sable-report.csv"
# 1. Extract all MIDs associated with credit card statement phishing attempts
cat $LOGFILE | grep 'Subject Account Statement For Credit Card' | awk '{print $8}' > $TEMP_CSV
# 2. Initialize CSV Report Header
echo "SourceIP,RecipientAddress,Status" > $REPORT_CSV
# 3. Loop through each MID to correlate Source IP, Recipient, and Action Status
for MID in $(cat $TEMP_CSV)
do
# Find Ingress Target Recipient Address
RecipientAddress=$(cat $LOGFILE | grep $MID | grep 'To: ' | awk '{print $14}')
# Find Ingress ICID
ICID=$(cat $LOGFILE | grep $MID | grep Start | awk '{print $11}')
# Find Source IP of Ingress ICID
SourceIP=$(cat $LOGFILE | grep $ICID | grep New | awk '{print $15}')
# Find ESA Response Status (Delivered, Bounced, Dropped)
Status=$(cat $LOGFILE | grep $MID | egrep "Response")
# Append correlated data to CSV report
echo "$SourceIP,$RecipientAddress,$Status" >> $REPORT_CSV
done
# 4. Transmit audit report via mailx
echo "Forensic email security audit report attached." | mailx -a $REPORT_CSV -s "Security Audit: Credit Card Statement Phishing Attempts" -r security-audit@induslevel.com security-audit@induslevel.com
Mail Forensics Active
By mastering manual protocol handshakes and automated syslog parsing, you can maintain absolute visibility into your enterprise mail infrastructure and resolve delivery anomalies instantly!