 | 1 | initial version |
From your comment it seems that you want to capture the connections from your internal clients to your internal relay server.
I guess the clients will be submitting email via port 587 or the deprecated port 25 and then emitting a STARTTLS command, or connecting to the deprecated implicit TLS port 465. Using these ports you can construct a capture filter for use with dumpcap on the relay server to capture the traffic, say into hourly files (using the -b option) and then post analyze the captures with tshark and a display filter and the -T fields option to output the TLS version numbers along with any other relevant info from the client conversation (e.g. IP).
