How to test relays using telnet or openssl s_client?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Something seems off with your relay, and you want to know exactly what the server is doing before you send another email. Running a raw SMTP test from the command line cuts out every abstraction layer and shows you the actual conversation between your machine and the mail server.

There are two tools for this: telnet for plain connections, and openssl s_client for encrypted ones. Which one you reach for depends on whether the port uses TLS.

Plain connection with telnet (port 25)

Use this when you want to test a basic SMTP handshake with no encryption involved.

telnet mail.example.com 25

If the server is reachable, you'll get a greeting that looks like this:

220 mail.example.com ESMTP ready

That 220 means the server is alive and talking. From there, introduce yourself and walk through a delivery attempt:

EHLO yourdomain.com
MAIL FROM:<test@yourdomain.com>
RCPT TO:<recipient@example.com>
DATA
Subject: Test

Hello.
.
QUIT

Now each command gets a response code. 250 at every step means the server accepted it. A 550 on RCPT TO means the recipient was rejected (often because relaying isn't permitted for that address). A 421 anywhere means the server temporarily gave up, which is often a rate-limit or overload signal.

Encrypted connection with openssl (ports 465 and 587)

Port 465 uses implicit TLS, meaning encryption starts the moment you connect. Port 587 uses STARTTLS, meaning you connect in plain text and then upgrade. The commands are slightly different for each.

For port 465 (implicit TLS):

openssl s_client -connect mail.example.com:465

For port 587 (STARTTLS upgrade):

openssl s_client -starttls smtp -connect mail.example.com:587

After the TLS handshake completes, you'll see the same SMTP greeting and run the same EHLO, MAIL FROM, RCPT TO sequence as above. If TLS fails to establish, openssl will tell you why (expired certificate, mismatched hostname, unsupported protocol version). That's already useful information.

What to watch for at each step

  • No connection at all: the port is blocked, the server is down, or DNS isn't resolving correctly.
  • 220 greeting but EHLO fails: unusual, but can indicate a misconfigured banner or a strict hostname policy.
  • 550 on RCPT TO: the relay is rejecting that recipient. This is normal if the server doesn't allow open relaying, but if you're seeing it for your own domain it may point to an SPF or authentication problem.
  • 530 or 535: authentication required or failed. The server wants credentials before it'll accept mail.
  • 421: temporary problem, try again later. Worth noting when it appears and whether it's consistent.

Still the goal of this test is to find exactly where in the conversation the server says no. Once you know the step and the code, you know what to fix.

If you're reading SMTP response codes for the first time, our almanac has a walkthrough of full SMTP transcripts that puts all of this in context. And if something is broken right now, our SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get my exact test commands

My relay setup is: mail server hostname, port and TLS method, e.g. port 587 with STARTTLS, [what I'm testing, e.g. whether it relays for my domain or why a specific recipient is rejected]. Based on that, give me the exact telnet or openssl command to run, the responses I should expect at each step, and what it means if I see an error code like 550, 421, or 530.

Edit the yellow boxes, then send to the AI of your choice.