Simple Mail Transfer Protocol (SMTP) is a protocol for transporting mails over TCP/IP network. Initially specified in RFC 821 published by Jonathan Postel in 1982, SMTP rapidly evolved to the robust protocol it is today supporting Multipurpose Internet Mail Extensions (MIME), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC).
By default, SMTP service runs on unsecured TCP port 25
or secured TCP port 465,587, and 2525
though port 465 has been deprecated while port 2525 is not an Internet Engineering Task Force (IETF)/Internet Assigned Numbers Authority (IANA) official port. SMTP works in tandem with POP/IMAP for an end-to-end mail creation and delivery. Four agents either components of SMTP and/or POP/IMAP application operate harmoniously to send and receive mails. Typically the user creates a mail using a Mail User Agent (MUA) and hands it off to a Mail Submission Agent (MSA). The MSA coordinates with a Mail Transfer Agent (MTA) in relaying the message through severs to reach the recipient destination. Then a Mail Delivery Agent (MDA) picks the mail and drops it off to the user’s mailbox which is then retrieved by the user with MUA.
- Mail User Agent (MUA): is a client component of SMTP/POP/IMAP that interacts directly with the user in creating and retrieving mails.
- Mail Submission Agent (MSA): a server component of SMTP that receives mail from MUA and coordinates with Mail Transfer Agent (MTA) to relay the mail to recipient server.
- Mail Transfer Agent (MTA): is a server component of SMTP that routes and transfers mails between mail servers to recipient server.
- Mail Delivery Agent (MDA): is a server component of POP/IMAP that receives mail from MTA and delivers it to the appropriate mailbox.
Now let’s observe SMTP Mail Transport Communication traffic flow.
|
|
Common Server Application
- Unix systems
- Dovecot
- Postfix
- Exim
- Sendmail
- Windows systems
- MailEnable
- ArGoSoft Mail Server
- Microsoft Exchange Server
- SmarterMail
Common Commands
COMMAND | USAGE | DESCRIPTION |
---|---|---|
AUTH | AUTH LOGIN $USERNAME $PASSWORD | client authenticates itself to the server |
DATA | DATA | initiate message sending, write message and end with . |
EHLO/HELO | EHLO/HELO $DOMAIN | initiate conversation using ESMTP/SMTP command |
EXPN | EXPN | verify mailing list validity |
HELP | HELP command | show commands supported/details |
MAIL FROM | MAIL FROM $SENDER_ADDRESS | specifies mail sender |
NOOP | NOOP | ping the mail server |
RCPT TO | RCPT TO $RECIPIENT_ADDRESS | specifies mail recipient |
RSET | RSET | aborts the in transit conversation |
SIZE | SIZE $NUMBER | define the message size in kilobyte |
STARTTLS | STARTTLS | upgrade to a secure connection |
VRFY | VRFY $RECIPIENT_ADDRESS | verify username/mailbox validity |
QUIT | QUIT | terminate the SMTP conversation |
Common Vulnerability
Security Best Practices
- Deploy a TLS SMTP for encrypted communication.
- Implement DMARC to protect participating mail domains from abuse.
- Implement SPF to authorize servers that send mail on behalf of your domain.
- Apply DKIM to digitally sign the mail for integrity and authenticity.
- Enable strong password policies and two-factor authentication for user accounts.
- Disable application version fingerprint.
Exploitation
Encountering an SMTP service would trigger phishing in an attacker’s mind. Some inclinations are:
- Whether they can solicit a user/bot to click a malicious link or download an attachment.
- Whether they can trick the user to share sensitive information.
|
|
References
- https://wooledge.org/~greg/mail.html
- https://mailtrap.io/blog/smtp
- https://dmarcly.com/blog/how-to-implement-dmarc-dkim-spf-to-stop-email-spoofing-phishing-the-definitive-guide
- https://vk9-sec.com/25110143-tcp-smtppop3imap-enumeration/
- https://exploit-notes.hdks.org/exploit/email/smtp-pentesting/
- https://hack.technoherder.com/smtp-exploits/
- https://secybr.com/posts/smtp-pentesting-best-practices/