This guide outlines steps to assess the security of an SMTP server, with a particular focus on Postfix, covering initial connection, capability discovery, encryption, authentication, and relay testing.
Target Example: <target_domain> (e.g., mail.example.com) or <target_ip>
Objective: Identify if the port is open, what service is running, and gather initial banners.
Basic Port Scan (Nmap):
nmap -p 25,587,465 -sV <target_ip_or_domain>-sV attempts version detection.PORT 587/tcp open smtp Postfix smtpd (or other server software like Exim, Microsoft ESMTP Server, etc.)Telnet Connection (Manual Interaction):
telnet <target_ip_or_domain> <port> (e.g., telnet mail.example.com 587)220 mail.example.com ESMTP Postfix (or similar, indicating service readiness and server name/software).Objective: Discover supported SMTP commands and extensions.
EHLO (Extended Hello):EHLO client.example.com (use a descriptive name for your testing client)STARTTLS: Indicates support for opportunistic TLS encryption.AUTH <mechanisms>: Lists supported authentication types (e.g., LOGIN, PLAIN, CRAM-MD5).SIZE: Maximum message size.PIPELINING, 8BITMIME, ENHANCEDSTATUSCODES, etc.250-mail.example.com
250-PIPELINING
250-SIZE 50000000
250-STARTTLS
250-AUTH LOGIN PLAIN XOAUTH2
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKINGSTARTTLS and AUTH are critical for secure operation on port 587.STARTTLS & SMTPS)Objective: Verify if secure communication is supported and properly configured.
Attempt STARTTLS (if advertised or suspected on Port 587/25):
EHLO): STARTTLS220 Ready to start TLS (or similar).STARTTLS is not advertised: Attempting it might result in an error like 500 Command not recognized.
Direct TLS/SSL Connection Test (openssl s_client):
STARTTLS (Ports 25, 587):
openssl s_client -connect <target_ip_or_domain>:<port> -starttls smtpopenssl s_client -connect <target_ip_or_domain>:465STARTTLS fails or is not supported on port 587:
Didn't find STARTTLS in server response, trying anyway...
...error: [specific SSL/TLS error, e.g., wrong version number]...
no peer certificate availableSTARTTLS negotiation.Nmap SSL/TLS Scripting:
nmap -p <port> --script="ssl-cert,ssl-enum-ciphers" <target_ip_or_domain>STARTTLS is not offered or not working on a port, these scripts might not return SSL-specific information for that port. If port 465 (SMTPS) is scanned, it should directly return SSL info if open.Objective: Determine if authentication is required and if it's handled securely.
Check for AUTH in EHLO Response:
AUTH mechanisms are listed before STARTTLS, it's a potential cleartext auth vulnerability. AUTH should ideally only be advertised after STARTTLS is successfully negotiated.
Attempt AUTH Commands (Telnet / openssl s_client):
STARTTLS is working: Perform these after STARTTLS using openssl s_client (and a new EHLO within the TLS session).STARTTLS is NOT working/advertised: Test cautiously in telnet to see if cleartext auth is offered.AUTH LOGIN334 VXNlcm5hbWU6 (Base64 for "Username:")AUTH PLAIN334 (empty, awaiting Base64 \0user\0pass)AUTH is disabled (good) or if AUTH is not supported before STARTTLS (also good if STARTTLS works):AUTH LOGIN -> 503 5.5.1 Error: authentication not enabled or 504 Unrecognized authentication type or 530 5.7.0 Authentication required (if STARTTLS was expected first).STARTTLS, it's a vulnerability.Objective: Determine if the server allows relaying mail to external domains, especially without authentication (Open Relay).
Sequence of Commands (Telnet / openssl s_client):
EHLO client.example.com (Wait for 250 Ok)MAIL FROM:<test@yourlocaldomain.com> (Use a test address)250 2.1.0 Ok (Sender accepted)RCPT TO:<user@externaldomain.com> (Use an external recipient)550 5.7.1 <user@externaldomain.com>: Relay access denied or 554 5.7.1 ... Recipient address rejected: Access denied250 Ok for an external recipient without authentication, it's an open relay.
Session Reset (RSET):
RSET250 OkObjective: Combine various Nmap scripts for a fuller picture if initial probes are inconclusive.
bash
nmap -p 587 --script 'banner,smtp-commands,smtp-enum-users,smtp-ntlm-info,smtp-vuln*,ssl-cert,ssl-enum-ciphers,tls-nextprotoneg' -sV -T4 -Pn <target_ip_or_domain>* are quoted in shells like zsh to prevent globbing.-T4 for faster execution, -Pn to skip host discovery if the host is known to be up but might block pings.EHLO capabilities. STARTTLS or AUTH might be detected here by Nmap even if missed in manual EHLO.smtp-enum-users (often inconclusive on hardened servers).STARTTLS is detected and working.STARTTLS. If it also accepts AUTH in cleartext, this is critical. If it disables AUTH without STARTTLS but also denies relay, it may be misconfigured or unusable for standard clients.AUTH LOGIN or AUTH PLAIN before STARTTLS negotiation on any port, exposing credentials.RCPT TO: for external domains without prior authentication.STARTTLS before AUTH on port 587, and port 465 (SMTPS) is available as an alternative.This guide should provide a solid foundation for SMTP and Postfix pentesting. Remember to adapt commands and interpretations based on the server's specific responses and behavior. Always test responsibly and with proper authorization.