About SMTP
The Simple Mail Transfer Protocol (SMTP) is a protocol for sending emails in an IP network. It can be used between an email client and an outgoing mail server or between two SMTP servers. SMTP is often combined with the IMAP or POP3 protocols, which can fetch emails and send emails.
By default, SMTP servers accept connection requests on port 25. However, newer SMTP servers also use other ports such as TCP port 587. This port is used to receive mail from authenticated users/servers, usually using the STARTTLS (see below) command to switch the existing plaintext connection to an encrypted connection. SMTP works unencrypted without further measures and transmits all commands, data, or authentication information in plain text. To prevent unauthorized reading of data, the SMTP is used in conjunction with SSL/TLS encryption. Under certain circumstances, a server uses a port other than the standard TCP port 25 for the encrypted connection, for example, TCP port 465.
An essential function of an SMTP server is preventing spam using authentication mechanisms that allow only authorized users to send e-mails. For this purpose, most modern SMTP servers support the protocol extension ESMTP with SMTP-Auth. After sending his e-mail, the SMTP client, also known as Mail User Agent (MUA), converts it into a header and a body and uploads both to the SMTP server. To relieve the MTA, it is occasionally preceded by a Mail Submission Agent (MSA), which checks the validity, i.e., the origin of the e-mail. This MSA is also called Relay server. From there, the email is handed off to the Mail Transfer Agent (MTA), the software basis for sending and receiving e-mails. The MTA checks the e-mail for size and spam and then stores it. The MTA then searches the DNS for the IP address of the recipient mail server and forwards the email to that IP address. On arrival at the destination SMTP server, the data packets are reassembled to form a complete e-mail. From there, the Mail delivery agent (MDA) transfers it to the recipient’s mailbox.
Client (MUA) | ➞ | Submission Agent (MSA) | ➞ | Open Relay (MTA) | ➞ | Mail Delivery Agent (MDA) | ➞ | Mailbox (POP3/IMAP) |
|---|---|---|---|---|---|---|---|---|
| Client uploads email to server | Some servers don’t have this |
SMTP is inherently insecure – meet ESMTP
Note that users are not authenticated when a connection is established, and the sender of an email is therefore unreliable. As a result, open SMTP relays are often misused to send spam. The originators use arbitrary fake sender addresses to not be traced (mail spoofing). Today, different security techniques are used to prevent the misuse of SMTP servers. For example, suspicious emails are rejected or moved to quarantine (spam folder). For example, responsible for this are the identification protocol DomainKeys (DKIM), the Sender Policy Framework (SPF).
an extension for SMTP has been developed called Extended SMTP (ESMTP). When people talk about SMTP in general, they usually mean ESMTP. ESMTP uses TLS, which is done after the EHLO command by sending STARTTLS. This initializes the SSL-protected SMTP connection, and from this moment on, the entire connection is encrypted, and therefore more or less secure.
Mail headers
The mail header provides information about the sender and recipient, the time of sending and arrival, the stations the email passed on its way, the content and format of the message, and the sender and recipient. However, the email header does not contain any information necessary for technical delivery. It is transmitted as part of the transmission protocol.
SMTP from telnet
telnet SERVERNAME 25
The name or IP address of the server for a domain can be determined by dig DOMAIN -t MX. If there is no MX record for a domain, the corresponding A-record must be used.
If the TCP connection can be established, telnet responds with the message Connected to SERVERNAME. and Escape character is' ^]'.
EHLO test.example.com
MAIL FROM:<SENDERADDRESS>
RCPT TO:<RECIPIENTADDRESS>
DATA
354 End data with <CR><LF>.<CR><LF>
From: <cry0l1t3@inlanefreight.htb>
To: <mrb3n@inlanefreight.htb>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
(Blank line, press Enter again)
This is a test.
(Blank line, press Enter again)
.
QUITSMTP commands
| Table 1. SMTP commands that are supported by CSSMTP | ||||
|---|---|---|---|---|
| Subcommand | Supported by SMTP Server | Supported by CSSMTP application | Description | Reference |
| DATA | YES | YES | Defines information as the data text of the mail body. | DATA command: Define the following information as data |
| EHLO | NO | YES | Identifies the domain name of the sending host to SMTP. | EHLO command: Identify the domain name of the sending host to SMTP |
| EXPN | YES | NO | Verifies whether a mailbox exists on the local host. | Command is not implemented |
| HELO | YES | YES | Identifies the domain name of the sending host to SMTP. | HELO command: Identify the domain name of the sending host to SMTP |
| HELP | YES | NO | Provides help with SMTP commands. | Command is not implemented |
| MAIL FROM | YES | YES | Specifies the mail sender. | MAIL FROM command: Specify the sender of the mail |
| NOOP | YES | NO | Returns a 250 OK return code when SMTP is responding. | Command is not implemented |
| QUEU | YES | NO | Gets information about mail that is queued at SMTP for delivery. | Command is not implemented |
| QUIT | YES | YES | Stops SMTP processing. | QUIT command: End SMTP processing |
| RCPT TO | YES | YES | Specifies the mail recipients. | RCPT TO command: Specify the recipients of the mail |
| RSET | YES | YES | Resets the SMTP processing to the initial state. | RSET command: Reset the SMTP processing to the initial state |
| STARTTLS | NO | YES | Tells the CSSMTP application that the SMTP server is currently able to negotiate the use of TLS. | STARTTLS command: Indicate the ability to negotiate the use of TLS |
| TICK | YES | NO | Inserts an identifier into the batch SMTP response data set. | Command is not implemented |
| VERB | YES | NO | Enables or disables verbose mode.Note: VERB ON can cause spool problems for SMTP if the REPLY TO: user is not a valid NJE node.user. | Command is not implemented |
| VRFY | YES | NO | Verifies whether a mailbox exists on the local host. | Command is not implemented |
SMTP error codes
| CODE | MEANING | HOW TO SOLVE IT / WHAT TO DO |
| 101 | The server is unable to connect. | Try to change the server’s name (maybe it was spelt incorrectly) or the connection port. |
| 111 | Connection refused or inability to open an SMTP stream. | This error normally refers to a connection issue with the remote SMTP server, depending on firewalls or misspelled domains. Double-check all the configurations and in case ask your provider. |
| 211 | System status message or help reply. | It comes with more information about the server. |
| 214 | A response to the HELP command. | It contains information about your particular server, normally pointing to a FAQ page. |
| 220 | The server is ready. | It’s just a welcome message. Just read it and be happy that everything is working (so far)! |
| 221 | The server is closing its transmission channel. It can come with side messages like “Goodbye” or “Closing connection”. | The mailing session is going to end, which simply means that all messages have been processed. |
| 250 | Its typical side message is “Requested mail action okay completed”: meaning that the server has transmitted a message. | The oppsite of an error: everything has worked and your email has been delivered. |
| 251 | “User not local will forward”: the recipient’s account is not on the present server, so it will be relayed to another. | It’s a normal transfer action. For other information check out our article on what is an SMTP server. |
| 252 | The server cannot verify the user, but it will try to deliver the message anyway. | The recipient’s email account is valid, but not verifiable. Normally the server relays the message to another one that will be able to check it. |
| 354 | The side message can be very cryptic (“Start mail input end <CRLF>.<CRLF>”). It’s the typical response to the DATA command. | The server has received the “From” and “To” details of the email, and is ready to get the body message. |
| 420 | “Timeout connection problem”: there have been issues during the message transfer. | This error message is produced only by GroupWise servers. Either your email has been blocked by the recipient’s firewall, or there’s a hardware problem. Check with your provider. |
| 421 | The service is unavailable due to a connection problem: it may refer to an exceeded limit of simultaneous connections, or a more general temporary problem. | The server (yours or the recipient’s) is not available at the moment, so the dispatch will be tried again later. |
| 422 | The recipient’s mailbox has exceeded its storage limit. | Best is to contact contact the user via another channel to alert him and ask to create some free room in his mailbox. |
| 431 | Not enough space on the disk, or an “out of memory” condition due to a file overload. | This error may depend on too many messages sent to a particular domain. You should try again sending smaller sets of emails instead of one big mail-out. |
| 432 | Typical side-message: “The recipient’s Exchange Server incoming mail queue has been stopped”. | It’s a Microsoft Exchange Server’s SMTP error code. You should contact it to get more information: generally it’s due to a connection problem. |
| 441 | The recipient’s server is not responding. | There’s an issue with the user’s incoming server: yours will try again to contact it. |
| 442 | The connection was dropped during the transmission. | A typical network connection problem, probably due to your router: check it immediately. |
| 446 | The maximum hop count was exceeded for the message: an internal loop has occurred. | Ask your SMTP provider to verify what has happened. |
| 447 | Your outgoing message timed out because of issues concerning the incoming server. | This happens generally when you exceeded your server’s limit of number of recipients for a message. Try to send it again segmenting the list in different parts. |
| 449 | A routing error. | Like error 432, it’s related only to Microsoft Exchange. Use WinRoute. |
| 450 | “Requested action not taken – The user’s mailbox is unavailable”. The mailbox has been corrupted or placed on an offline server, or your email hasn’t been accepted for IP problems or blacklisting. | The server will retry to mail the message again, after some time. Anyway, verify that is working on a reliable IP address. |
| 451 | “Requested action aborted – Local error in processing”. Your ISP’s server or the server that got a first relay from yours has encountered a connection problem. | It’s normally a transient error due to a message overload, but it can refer also to a rejection due to a remote antispam filter. If it keeps repeating, ask your SMTP provider to check the situation. (If you’re sending a large bulk email with a free one that can be a common issue). |
| 452 | Too many emails sent or too many recipients: more in general, a server storage limit exceeded. | Again, the typical cause is a message overload. Usually the next try will succeed: in case of problems on your server it will come with a side-message like “Out of memory”. |
| 471 | An error of your mail server, often due to an issue of the local anti-spam filter. | Contact your SMTP service provider to fix the situation. |
| 500 | A syntax error: the server couldn’t recognize the command. | It may be caused by a bad interaction of the server with your firewall or antivirus. Read carefully their instructions to solve it. |
| 501 | Another syntax error, not in the command but in its parameters or arguments. | In the majority of the times it’s due to an invalid email address, but it can also be associated with connection problems (and again, an issue concerning your antivirus settings). |
| 502 | The command is not implemented. | The command has not been activated yet on your own server. Contact your provider to know more about it. |
| 503 | The server has encountered a bad sequence of commands, or it requires an authentication. | In case of “bad sequence”, the server has pulled off its commands in a wrong order, usually because of a broken connection. If an authentication is needed, you should enter your username and password. |
| 504 | A command parameter is not implemented. | Like error 501, is a syntax problem; you should ask your provider. |
| 510/511 | Bad email address. | One of the addresses in your TO, CC or BBC line doesn’t exist. Check again your recipients’ accounts and correct any possible misspelling. |
| 512 | A DNS error: the host server for the recipient’s domain name cannot be found. | Check again all your recipients’ addresses: there will likely be an error in a domain name (like mail@domain.coom instead of mail@domain.com). |
| 513 | “Address type is incorrect”: another problem concerning address misspelling. In few cases, however, it’s related to an authentication issue. | Doublecheck your recipients’ addresses and correct any mistake. If everything’s ok and the error persists, then it’s caused by a configuration issue (simply, the server needs an authentication). |
| 523 | The total size of your mailing exceeds the recipient server’s limits. | Re-send your message splitting the list in smaller subsets. |
| 530 | Normally, an authentication problem. But sometimes it’s about the recipient’s server blacklisting yours, or an invalid email address. | Configure your settings providing a username+password authentication. If the error persists, check all your recipients’ addresses and if you’ve been blacklisted. |
| 541 | The recipient address rejected your message: normally, it’s an error caused by an anti-spam filter. | Your message has been detected and labeled as spam. You must ask the recipient to whitelist you. |
| 550 | It usually defines a non-existent email address on the remote side. | Though it can be returned also by the recipient’s firewall (or when the incoming server is down), the great majority of errors 550 simply tell that the recipient email address doesn’t exist. You should contact the recipient otherwise and get the right address. |
| 551 | “User not local or invalid address – Relay denied”. Meaning, if both your address and the recipient’s are not locally hosted by the server, a relay can be interrupted. | It’s a (not very clever) strategy to prevent spamming. You should contact your ISP and ask them to allow you as a certified sender. Of course, with a professional SMTP provider like turboSMTP you won’t ever deal with this issue. |
| 552 | “Requested mail actions aborted – Exceeded storage allocation”: simply put, the recipient’s mailbox has exceeded its limits. | Try to send a lighter message: that usually happens when you dispatch emails with big attachments, so check them first. |
| 553 | “Requested action not taken – Mailbox name invalid”. That is, there’s an incorrect email address into the recipients line. | Check all the addresses in the TO, CC and BCC field. There should be an error or a misspelling somewhere. |
| 554 | This means that the transaction has failed. It’s a permanent error and the server will not try to send the message again. | The incoming server thinks that your email is spam, or your IP has been blacklisted. Check carefully if you ended up in some spam lists, or rely on a professional SMTP service like turboSMTP that will nullify this problem. |
Footprinting the SMTP service
nmap
The default nmap script can be run as follows.
sudo nmap 10.129.14.128 -sC -sV -p25
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 17:56 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail1.inlanefreight.htb, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
MAC Address: 00:00:00:00:00:00 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.09 secondsnmap open relay testing
nmap has an open relay script that uses a variety of methods to test for an open relay.
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 02:29 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.00s elapsed
Initiating ARP Ping Scan at 02:29
Scanning 10.129.14.128 [1 port]
Completed ARP Ping Scan at 02:29, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:29
Completed Parallel DNS resolution of 1 host. at 02:29, 0.03s elapsed
Initiating SYN Stealth Scan at 02:29
Scanning 10.129.14.128 [1 port]
Discovered open port 25/tcp on 10.129.14.128
Completed SYN Stealth Scan at 02:29, 0.06s elapsed (1 total ports)
NSE: Script scanning 10.129.14.128.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.07s elapsed
Nmap scan report for 10.129.14.128
Host is up (0.00020s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-open-relay: Server is an open relay (16/16 tests)
| MAIL FROM:<> -> RCPT TO:<relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@nmap.scanme.org> -> RCPT TO:<relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@ESMTP> -> RCPT TO:<relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest%nmap.scanme.org@[10.129.14.128]>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest%nmap.scanme.org@ESMTP>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"relaytest@nmap.scanme.org">
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"relaytest%nmap.scanme.org">
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest@nmap.scanme.org@[10.129.14.128]>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"relaytest@nmap.scanme.org"@[10.129.14.128]>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest@nmap.scanme.org@ESMTP>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<@[10.129.14.128]:relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<@ESMTP:relaytest@nmap.scanme.org>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest>
| MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest@[10.129.14.128]>
|_ MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest@ESMTP>
MAC Address: 00:00:00:00:00:00 (VMware)
NSE: Script Post-scanning.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)smtp-user-enum script
smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t 10.129.208.79 -w 20
