# Simple Mail Transfer Protocol (SMTP) Introduction - used between an email client and an outgoing mail server or two SMTP servers -acts as a relay - by default works without encryption and transmits all commands, data, or authenticatoin information in plain text - often combined with IMAP/POP3, which fetch and send emails ## Footprinting SMTP ```bash sudo nmap <ip_addr> -sC -sV -p25 sudo nmap <ip_addr> -script smtp-open-relay -v -p25 #check for open relay ``` ## SMTP Config - see `/etc/postfix/main.cf` ## SMTP Interaction ```bash telnet <ip_addr> 25 HELO mail1.inlinefreight.htb #initiate smtp session EHLO VRFY root #manually enumerate existance of specified users #build out stub email with MAIL FROM, RCPT TO, DATA smtp-user-enum -M VRFY -U ./footprinting-wordlist.txt -t <ip_addr> -m 60 -w 20 #automatic user enumeration ``` | SMTP Command | Description | | ------------ | ---------------------------------------------------------------------------------- | | AUTH PLAIN | service extension used to authenticate the client | | HELO | client logs in with its computer name to start a session | | MAIL FROM | client names the email sender | | RCPT TO | client names the email recipient | | DATA | client initiates transmission of the email | | RSET | client aborts transmission but keeps the session alive | | VRFY | client checks if mailbox is available for message transfer | | EXPN | similar to above | | NOOP | client requests a response from the server to prevent a disconnection from timeout | | QUIT | terminate session |