The Simple Mail Transfer Protocol (SMTP) is used to send emails over an IP network. It can work between an email client and a mail server or between two SMTP servers. SMTP is often used with IMAP or POP3, which handle receiving and managing emails. Although SMTP is primarily a client-server protocol, a server can also act as a client in certain situations.
Default Port: 25,465(ssl),587(ssl)
Banner grabbing
nc -nv $IP 25
openssl s_client -crlf -connect $IP:465 #SSL/TLS without starttls command
openssl s_client -starttls smtp -crlf -connect $IP:587Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -p25 $IP
# Check if SMTP is vulnerable to mail relaying.
sudo nmap --script=smtp-open-relay -p25 $IP -vSMTP commands
To interact with the SMTP server, use the telnet tool to establish a TCP connection with the server.
| Command | Description |
|---|---|
| AUTH PLAIN | Authenticates the client. |
| HELO | Starts the session by logging in with the client’s computer name. |
| MAIL FROM | Specifies the email sender. |
| RCPT TO | Specifies the email recipient. |
| DATA | Begins sending the email. |
| RSET | Cancels the current email transmission but keeps the connection open. |
| VRFY | Checks if a mailbox exists. |
| EXPN | Also checks if a mailbox exists (similar to VRFY). |
| NOOP | Keeps the connection alive by requesting a response. |
| QUIT | Ends the session. |
Metasploit Framework
Metasploit Framework is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools.
Link to original
auxiliary/scanner/smtp/smtp_version # smtp enumerate version
auxiliary/scanner/smtp/smtp_enum # smtp enumerate users
exploit/linux/smtp/haraka # SMTP haraka v2.8.9 (exploit)Config files
# Default configuration
cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"Dangerous settings
To avoid emails being blocked, use a trusted relay server, which requires authentication. Admins often allow all IP addresses to prevent email issues, leading to security risks. This setting allows the SMTP server to send unauthorized emails and potentially spoof or intercept messages.
# Open realy configuration
mynetworks = 0.0.0.0/0