# SMTP

## What is SMTP?

**S**imple **M**ail **T**ransfer **P**rotocol or **SMTP**, and as the name suggests, it is simple! SMTP servers often implement interactive commands ( `VRFY`, `EXPN`, `HELO`/`EHLO`, `MAIL FROM`, `RCPT TO`) that when enabled or misconfigured can reveal useful information about valid recipients, relaying policies, and server capabilities. Treat enumeration results as leads, not definitive proof.

***

### Key points

* **User enumeration:** Commands such as `VRFY` and `EXPN` can be abused to confirm whether an account or mailing-list membership exists. Many modern servers disable or restrict these commands, but older or misconfigured servers may respond differently to valid vs invalid users.
* **Service fingerprinting:** The SMTP banner and responses to `EHLO` reveal server software/version and supported extensions (`STARTTLS`, `AUTH`, `SIZE`).
* **Relaying behaviour:** Tests can reveal whether the server is an open relay (dangerous misconfiguration) or only accepts local recipients.
* **Safety:** Avoid sending actual emails to validate users; use protocol-level commands and non-destructive checks.

### Ports

* SMTP (plain): **25/tcp**
* SMTP over TLS (implicit): **465/tcp**
* SMTP submission (with STARTTLS): **587/tcp**

***

## SMTP Enumeration

### Linux

#### Using Nmap

* Ports scanning

```bash
sudo nmap -p 25,465,587 <target>
```

* Nmap scripts

  * `smtp-enum-users` — attempts to enumerate users.
  * `smtp-commands` — lists supported SMTP commands.
  * `smtp-open-relay` — checks relay behaviour.\
    Example:

  ```bash
  sudo nmap -p 25 --script=smtp-enum-users <target>
  ```

#### Using NetCat

Open a raw TCP session and issue SMTP commands:

```bash
nc -nv 192.168.5.64 25
```

```
220 mail.example.com ESMTP Postfix (Ubuntu)
EHLO attacker.local
250-mail.example.com
250-PIPELINING
250-SIZE 10485760
250-STARTTLS
VRFY root
252 2.0.0 root
VRFY nonexistent
550 5.1.1 <nonexistent>: Recipient address rejected: User unknown in local recipient table
QUIT
221 2.0.0 Bye
```

Differing success/error codes indicate the server distinguishes valid users from invalid ones.

### Windows

#### Using PowerShell

* Using Test-NetConnection

```powershell
Test-NetConnection -Port 25 -ComputerName <target_ip>
```

#### Using Telnet

* Telnet in not added by default for windows so you can add it using:

```powershell
 dism /online /Enable-Feature /FeatureName:TelnetClient
```

* Interaction like Linux

```powershell
telnet 192.168.5.64 25
```

```powershell
220 mail.example.com ESMTP Postfix (Ubuntu)
VRFY alice
250 2.1.5 alice
VRFY bob
550 5.1.1 <bob>: Recipient address rejected: User unknown in local recipient table
```