SMTP
What is SMTP?
Simple Mail Transfer Protocol or SMTP, and as the name suggests, it is simple! SMTP servers often implement interactive commands ( VRFY, EXPN, HELO/EHLO, MAIL FROM, RCPT TO) that when enabled or misconfigured can reveal useful information about valid recipients, relaying policies, and server capabilities. Treat enumeration results as leads, not definitive proof.
Key points
User enumeration: Commands such as
VRFYandEXPNcan be abused to confirm whether an account or mailing-list membership exists. Many modern servers disable or restrict these commands, but older or misconfigured servers may respond differently to valid vs invalid users.Service fingerprinting: The SMTP banner and responses to
EHLOreveal server software/version and supported extensions (STARTTLS,AUTH,SIZE).Relaying behaviour: Tests can reveal whether the server is an open relay (dangerous misconfiguration) or only accepts local recipients.
Safety: Avoid sending actual emails to validate users; use protocol-level commands and non-destructive checks.
Ports
SMTP (plain): 25/tcp
SMTP over TLS (implicit): 465/tcp
SMTP submission (with STARTTLS): 587/tcp
SMTP Enumeration
Linux
Using Nmap
Ports scanning
Nmap scripts
smtp-enum-users— attempts to enumerate users.smtp-commands— lists supported SMTP commands.smtp-open-relay— checks relay behaviour. Example:
Using NetCat
Open a raw TCP session and issue SMTP commands:
Differing success/error codes indicate the server distinguishes valid users from invalid ones.
Windows
Using PowerShell
Using Test-NetConnection
Using Telnet
Telnet in not added by default for windows so you can add it using:
Interaction like Linux
Last updated
Was this helpful?