Comprehensive SMTP & Postfix Pentesting Guide

This guide outlines steps to assess the security of an SMTP server, with a particular focus on Postfix, covering initial connection, capability discovery, encryption, authentication, and relay testing.

Target Example: <target_domain> (e.g., mail.example.com) or <target_ip>


Phase 1: Initial Discovery & Banner Grabbing

Objective: Identify if the port is open, what service is running, and gather initial banners.

  1. Basic Port Scan (Nmap):

  2. Telnet Connection (Manual Interaction):


Phase 2: Capability Enumeration (EHLO/HELO)

Objective: Discover supported SMTP commands and extensions.

  1. Send EHLO (Extended Hello):

Phase 3: Testing TLS/SSL Encryption (STARTTLS & SMTPS)

Objective: Verify if secure communication is supported and properly configured.

  1. Attempt STARTTLS (if advertised or suspected on Port 587/25):

  2. Direct TLS/SSL Connection Test (openssl s_client):

  3. Nmap SSL/TLS Scripting:


Phase 4: Authentication Testing

Objective: Determine if authentication is required and if it's handled securely.

  1. Check for AUTH in EHLO Response:

  2. Attempt AUTH Commands (Telnet / openssl s_client):


Phase 5: Relay Testing

Objective: Determine if the server allows relaying mail to external domains, especially without authentication (Open Relay).

  1. Sequence of Commands (Telnet / openssl s_client):

  2. Session Reset (RSET):


Phase 6: Comprehensive Nmap Scan (Example for a specific port)

Objective: Combine various Nmap scripts for a fuller picture if initial probes are inconclusive.

  1. Example Nmap Command (Port 587): bash nmap -p 587 --script 'banner,smtp-commands,smtp-enum-users,smtp-ntlm-info,smtp-vuln*,ssl-cert,ssl-enum-ciphers,tls-nextprotoneg' -sV -T4 -Pn <target_ip_or_domain>

Key Takeaways & Reporting Examples:


This guide should provide a solid foundation for SMTP and Postfix pentesting. Remember to adapt commands and interpretations based on the server's specific responses and behavior. Always test responsibly and with proper authorization.