SMTPDebugSSL – SSL/TLS Debug Logging for SMTP (HCL Domino)

SMTPDebugSSL enables specialized SSL/TLS debug output on a Domino server for the SMTP task. This makes it possible to trace STARTTLS negotiations, certificate checks, and handshake details in detail.

Profile

Parameter	SMTPDebugSSL
Component	Server (SMTP listener and SMTP client)
Category	Logging / Debug (Mail / Router)
Available since	9.0.x (per KB0029557)
Default	`0` (disabled)
Values	`0` off, `1` on
Prerequisite for visibility	Console log must be active (`console_log_enabled=1`)

Description

Whereas SMTPDebug/SMTPDebugIO show the SMTP protocol level, SMTPDebugSSL focuses on the TLS layer beneath the SMTP traffic. Example excerpt from the HCL KB:


SMTP CITask EstablishSSLSession> Starting SSL server handshake
SMTP CITask SSLEstablishSession> Enable SSL_LOAD_CERTIFICATE = TRUE
SMTP CITask SSLEstablishSession> Enable SSL_ACCEPT_EXPIRED_CERTS = TRUE
SMTP CITask SSLEstablishSession> Protocol Version: SSL_HSV_UNDETERMINED/Negotiated
SMTP CITask EstablishSSLSession> Done with SSL handshake

Typically captured items include:

STARTTLS command and response (inbound and outbound),

negotiated TLS protocol version and cipher suite,

certificate checks (SSL_LOAD_CERTIFICATE, SSL_ACCEPT_EXPIRED_CERTS, SSL_ACCEPT_SITE_CERTS),

bytes per direction per handshake step,

errors in the SSL layer (codes such as SSLHandshakeNoDone, -5000).

Examples

Activation in notes.ini:


SMTPDebugSSL=1

Dynamically at runtime:


set config SMTPDebugSSL=1
tell smtp quit
load smtp

Deactivate:


set config SMTPDebugSSL=0
tell smtp quit
load smtp

Notes

Enable console log – KB0029557 explicitly notes: "The console log must be enabled to view output from the above debugging parameters."

Affects both inbound and outbound – Unlike SMTPDebug (inbound) and SMTPClientDebug (outbound), SMTPDebugSSL logs the TLS layer in both directions.

Companion parameters – Analogous switches for other mail protocols:

POP3DebugSSL=1 for the POP3 task,
IMAPDebugSSL=1 for the IMAP task.

Privacy – Certificate details and connection metadata appear in the log; mail content is not included (that is what SMTPDebugIO is for).

Performance – On servers with high SMTP load, SMTPDebugSSL=1 produces a lot of log volume; only enable for diagnostic windows.

Counterpart – For pure cipher/handshake questions, the general level DEBUG_SSL_HANDSHAKE and DEBUG_SSL_CIPHERS (HCL Wiki, Daniel Nashed) is a complementary option that covers all TLS-capable Domino tasks.

Sources (HCL Product Documentation)

HCL Customer Support – KB0029557 "SSL Debugging for Domino mail routing" (Applies to: Domino 9.0.x, 10.0.x; HCL Domino 11.0.x and higher): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0029557

HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html