Home > Network Pentesting

SMTP & Mail Server Enumeration

SMTP and mail server enumeration reveals how an organization handles email communication. Many mail servers expose information about valid users, internal hostnames, software versions, authentication mechanisms, and relay settings. Because email is a core service in most networks, misconfigurations can expose user accounts, enable spoofing, or allow unauthorized message delivery. SMTP enumeration helps pentesters identify weaknesses that can support phishing, brute forcing, or lateral movement.

Understanding SMTP

SMTP operates on ports 25, 465, and 587.
Typical behavior:

  • Port 25: SMTP (often unauthenticated, internal relay)

  • Port 465: SMTPS (implicit TLS)

  • Port 587: Submission port (STARTTLS authentication)

Different ports reveal different behaviors, so enumeration must include all of them.

SMTP commands provide clues about server behavior. Some servers expose user existence, internal paths, or system type through these responses.

Checking SMTP Banner

A simple connection often reveals version and software type.

nc -nv 10.10.10.5 25

Banners may reveal:

  • Mail server name (Postfix, Exim, Sendmail, Exchange)

  • Version number

  • Internal hostname

  • Operating system hints

This helps identify known vulnerabilities.

VRFY, EXPN, and RCPT Enumeration

SMTP includes commands that check user existence.

VRFY (Verify user)

nc 10.10.10.5 25
VRFY admin

Response may confirm:

  • Valid users

  • Invalid users

  • Aliases

EXPN (Expand mailing list)

EXPN staff

Some servers reveal all addresses in a group.

RCPT TO (Mail recipient test)

MAIL FROM:<test@test.com>
RCPT TO:<user@domain.com>

If the server accepts the RCPT command without error, the user exists.

These checks help build username lists for password attacks or domain enumeration.

Enumerating Supported Authentication

Mail submission ports reveal authentication behavior.

Checking STARTTLS and Auth Methods

openssl s_client -connect 10.10.10.5:587 -starttls smtp

This reveals:

  • Authentication types (PLAIN, LOGIN, NTLM)

  • TLS version

  • Cipher suites

  • Internal domain names

Weak ciphers or deprecated authentication methods indicate misconfigurations.

Enumerating Mail Relay Capabilities

Mail relays accept email and forward it to another server. Misconfigured relays can be abused for spam, spoofing, or bypassing filters.

Testing for Open Relay

nc 10.10.10.5 25
MAIL FROM:<test@outside.com>
RCPT TO:<someone@anotherdomain.com>

If allowed, the server is an open relay.

Open relays are severe vulnerabilities and often lead to blacklisting.

Using Nmap for SMTP Enumeration

Nmap includes SMTP-specific scripts for deeper analysis.

Basic Service Enumeration

nmap -p25,465,587 -sV 10.10.10.5

Detect SMTP Commands

nmap --script smtp-commands 10.10.10.5

Shows server-supported commands.

User Enumeration

nmap --script smtp-enum-users 10.10.10.5

Mail Relay Check

nmap --script smtp-open-relay 10.10.10.5

TLS Inspection

nmap --script ssl-cert -p465,587 10.10.10.5

Reveals certificate details and security level.

Fingerprinting Mail Servers

Different mail servers expose unique behavior:

  • Exchange reveals domain names and AD structure

  • Postfix reveals Linux environment details

  • Exim reveals version-specific vulnerabilities

  • Sendmail exposes build info

  • Zimbra exposes webmail and LDAP connections

Identifying the mail server type helps locate known attack vectors.

Enumerating Internal Hostnames via SMTP

Mail servers often expose internal DNS names in several places:

  • SMTP banner

  • TLS certificate CN

  • EHLO response

  • Received headers (if allowed)

These hostnames help map internal infrastructure.

Identifying Misconfigurations

Pentesters look for:

  • VRFY or EXPN enabled

  • Open relay

  • Weak authentication (PLAIN/LOGIN without TLS)

  • Lack of STARTTLS

  • Outdated or vulnerable mail servers

  • Certificate mismatches

  • Exposed internal hostnames

  • SMTP without rate limiting

Misconfigured mail servers are often used for password attacks and internal information gathering.

Why SMTP Enumeration Matters

SMTP enumeration reveals user accounts, authentication methods, server versions, and relay behavior. These details support email-based attacks, assist credential harvesting, and expose weaknesses in internal infrastructures. Mail servers often become entry points for phishing and lateral movement, making enumeration essential.

Intel Dump

  • SMTP runs on 25, 465, and 587

  • VRFY, EXPN, and RCPT reveal users

  • TLS and authentication enumeration expose weak security

  • Open relay checks detect severe misconfigurations

  • Nmap SMTP scripts automate command and user enumeration

  • Mail servers often leak internal hostnames and versions

HOME COMMUNITY CAREERS DASHBOARD