protocolsandservers networkservices2 networksecurityprotocols

Simple Mail Transfer Protocol (SMTP) is a protocol used by a mail client (Mail User Agent) to transfer emails (Mail Submission Agent) to a server called Mail Transfer Agent. This server will transfer emails to another server that will handle the delivery.

The Mail Transfer Agent will send the mail to a Mail Delivery Agent which is the server that the client will query to access his/her emails. It's common for a MTA to also be a MDA.

🐊️ Ports

  • 25 (TCP)
  • 587 (TCP) - with or without SSL/TLS
  • 2525 (TCP) - unofficial

πŸ”₯ SMTP communications are not encrypted.

πŸ”’ There is a secure version called SMTPS (port 465, over SSL/TLS). Modern web servers use port 587 with SSL/TLS as smtps was revoked.

You could use the analogy of a MSA being the postman that takes mail from your inbox (MUA) and deliver them to the post center (MTA).

$ telnet IP 25
helo hostname
mail from: <>
rcpt to: <> NOTIFY=success,failure
subject: xxx

SMTP also has the commands VRFY to check if a user exists, and EXPN to see the emails/mailing lists/... for a user.

SMTP vulnerabilities ☠️


  • Metasploit
msf6> use auxiliary/scanner/smtp/smtp_version # version
  • Dig info using nmap
$ nmap IP -p 25,465 --script "*smtp*"
$ nmap IP -p 25,465 --script smtp-open-relay



msf6> use auxiliary/scanner/smtp/smtp_enum # users...
  • We can use smtp-user-enum which supports 3 methods: VRFY (not always working, code 252, doc), RCPT (along with -D) and EXPN
$ sudo apt install smtp-user-enum
$ smtp-user-enum -M VRFY -u root -t IP
$ smtp-user-enum -M VRFY -U users.lst -t IP
$ smtp-user-enum -M RCPT -U users.lst -D -t IP
  • The password may be weak and vulnerable to brute force.
$ hydra -l -P passwords.lst smtp://IP -v

Well-known CVEs

Additional Notes


  • o365spray can be used to brute force usernames and passwords of Microsoft Office 365 accounts.
$ git clone
$ cd o365spray
$ python3 --validate --domain xxx.yyy # valid?
$ python3 --enum -U users.txt --domain xxx.yyy

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • SMTP protocol extension ESMTP with SMTP-Auth
  • MSA is also called Relay server
  • Open Relay (IPs allowed to use the SMTP Server,
  • Mail Server Configuration