330 words
2 minutes
SMTP
2025-04-20
Footprinting
Cyber

SMTP Overview#

  • SMTP (Simple Mail Transfer Protocol) is used to send emails over IP networks.
  • Works client-server or server-to-server.
  • Default port is 25, but:
    • Port 587 is used for mail submission with STARTTLS.
    • Port 465 is used for SMTPS (SMTP over SSL).

Encryption & Security#

  • Unencrypted by default — sends data, including authentication credentials, in plaintext.
  • Use STARTTLS or SMTPS (port 465) to encrypt the connection.
  • SMTP-Auth (ESMTP) allows client authentication and helps prevent open relay misuse.

Security Mechanisms#

  • DKIM (DomainKeys Identified Mail) – Email validation using cryptographic signatures.
  • SPF (Sender Policy Framework) – Prevents sender address spoofing.
  • MTA (Mail Transfer Agent) – Main component that routes messages.
  • MSA (Mail Submission Agent) – Pre-processes email and checks origin.
  • MDA (Mail Delivery Agent) – Delivers to the correct recipient’s mailbox (POP3/IMAP).

Penetration Testing with SMTP#

Enumeration using Telnet#

  • You can interact directly with SMTP via Telnet:

    telnet <IP> 25
HELO <domain>
EHLO <domain>

  • User enumeration using VRFY:

    VRFY root
252 2.0.0 root

  • Note: Code 252 does not guarantee existence; could be a catch-all response.

Send Email via Telnet#

Example sequence:

EHLO domain.com
MAIL FROM: <sender@example.com>
RCPT TO: <recipient@example.com>
DATA
From: ...
To: ...
Subject: ...
[message body]
.
QUIT

Default SMTP Configuration (Postfix)#

Example config values:

  • myhostname = mail1.inlanefreight.htb
  • inet_protocols = ipv4
  • mynetworks = 127.0.0.0/8 10.129.0.0/16 — Trusts only specific subnets.
  • smtpd_helo_restrictions = reject_invalid_hostname — Basic anti-spam.

SMTP Weaknesses#

  1. No guaranteed delivery confirmation.
  2. Lack of sender authentication can lead to:
    • Mail spoofing
    • Open relay abuse (spammers using your server)

Email Header#

  • Contains metadata: sender, recipient, routing info, timestamps.
  • Visible to both sender and recipient (via email client UI or raw view).
  • Useful in forensics and tracking spoofed or malicious emails.

Summary of SMTP Commands#

CommandDescriptionSecurity Notes
EHLO/HELOInitiate SMTP sessionModern servers prefer EHLO
MAIL FROMSpecify sender addressOften spoofed in spam/phishing
RCPT TOSpecify recipient addressCan enumerate valid users
DATABegin email content transmissionEnds with CRLF.CRLF
QUITGracefully terminate connection
VRFYVerify if user exists (disabled)❗ Common attack vector
EXPNExpand mailing list (disabled)❗ Information disclosure risk
NOOPKeep connection aliveUsed to bypass timeouts
RSETAbort current transactionDoesn’t close connection
STARTTLSUpgrade to encrypted connectionEssential for security

Pro Tips#

  • Always check if VRFY is enabled—it’s useful for user enumeration.
  • Use telnet, netcat, or openssl s_client to manually test SMTP communication.
  • Watch for open relays (misconfigured servers that allow unauthenticated sending).
  • Use headers for recon—internal IPs, software, time stamps.
SMTP
https://fuwari.vercel.app/posts/smtp/
Author
Ranjung Yeshi Norbu
Published at
2025-04-20
FTP
Staff
© 2025 Ranjung Yeshi Norbu. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari