Post

SMTP Enumeration

Posted
By Fábio Ferreira
3 min read
SMTP Enumeration

Why SMTP Matters

SMTP (Simple Mail Transfer Protocol) is the standard for sending and routing emails across the Internet. Unlike IMAP or POP3 (which retrieve mail), SMTP only handles outbound message delivery. Misconfigured SMTP servers—particularly open relays—become tools for spammers and attackers to send phishing emails at scale while spoofing sender addresses.

How SMTP Works

SMTP uses a simple client-server model. A mail client (MUA) connects to a submission server (MSA on port 587 or 465), which forwards to the destination SMTP server (port 25). The basic flow:

  1. Client authenticates to MSA (port 587/465 with STARTTLS)
  2. MSA validates and routes to destination MTA (port 25)
  3. MTAs relay hop-by-hop via DNS MX records
  4. Final MTA delivers to the recipient’s mailbox (accessed via IMAP/POP3)

Default ports:

  • Port 25: Server-to-server relay (plaintext, often blocked by ISPs)
  • Port 587: Submission (requires STARTTLS + authentication)
  • Port 465: SMTPS (legacy, immediate TLS wrapping)

Key SMTP Commands

Essential commands for manual testing:

Command Purpose
EHLO Advertise capabilities (VRFY, SIZE, STARTTLS, AUTH)
MAIL FROM Declare sender address
RCPT TO Declare recipient address
DATA Begin message body
VRFY Verify if mailbox exists
EXPN Expand mailing list
AUTH Authenticate with credentials
STARTTLS Upgrade to encrypted connection
QUIT Terminate session

Dangerous Configurations

Common misconfigurations create serious risks:

Issue Risk
mynetworks = 0.0.0.0/0 Open relay—anyone can send mail through it
SMTP_AUTH disabled No authentication required on port 25
VRFY enabled Attackers can enumerate valid usernames
Listening on 0.0.0.0:25 Server exposed on public interfaces

An open relay is the most critical misconfiguration. With access to an open relay, attackers can:

  • Send phishing emails at scale
  • Spoof sender addresses
  • Distribute malware
  • Evade source IP tracing

Default Postfix Configuration

1
2
3
4
5

myhostname = mail.example.com
mydestination = $myhostname, localhost
mynetworks = 127.0.0.0/8 10.0.0.0/8
smtp_bind_address = 127.0.0.1
smtpd_helo_restrictions = reject_invalid_hostname

Critical parameters:

  • mydestination: Domains this server accepts mail for (local delivery)
  • mynetworks: IP ranges allowed to relay without authentication
  • Setting mynetworks = 0.0.0.0/0 creates an open relay

Enumeration and Testing

Nmap Service Detection

1
2
3
4
5

$ nmap -sC -sV -p25 target.com

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: mail.target.com, PIPELINING, SIZE 10240000, VRFY, ETRN, 8BITMIME, DSN, SMTPUTF8, CHUNKING

The EHLO response reveals supported commands (VRFY, ETRN, etc.) and max message size.

Testing for Open Relays

1
2
3
4

$ nmap -p25 --script smtp-open-relay target.com

| smtp-open-relay: Server is an open relay (16/16 tests)
|  MAIL FROM:<> -> RCPT TO:<test@external.com>

Servers passing all test vectors accept mail from any sender to any recipient.

Manual Telnet Session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

$ telnet target.com 25

220 ESMTP Server
EHLO attacker.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 CHUNKING

VRFY admin
252 2.0.0 admin

MAIL FROM: <fake@attacker.com>
250 OK
RCPT TO: <victim@external.com>
250 OK
DATA
354 End data with .

Hello victim
.
250 OK: Message queued
QUIT

This demonstrates the attack chain: if a server accepts VRFY and relays mail without authentication, it’s vulnerable.

User Enumeration via VRFY

If VRFY is enabled, responses may leak valid users:

  • 250: User exists (verified)
  • 252: Cannot verify but will accept (ambiguous)
  • 550: User not found

Some servers respond consistently to all queries, making enumeration impossible. Others leak information through response timing or error messages.

Summary

SMTP’s simplicity makes it essential but also vulnerable. Key takeaways:

  1. Open relays are one of the most exploitable misconfigurations in production networks
  2. Port 25 = plaintext relay, port 587/465 = authenticated submission (should use STARTTLS)
  3. VRFY enumeration reveals valid usernames if the server responds distinctly for valid/invalid users
  4. Email headers contain routing info (Received chain) useful for footprinting mail infrastructure
  5. Always obtain written authorization before testing live SMTP servers
Cybersecurity
SMTP email networking security enumeration
This post is licensed under CC BY-NC-ND 4.0 by the author.