SMTP
aka smtpd, mail
Mail transfer on 25 (and 465/587). The protocol itself leaks valid usernames via VRFY/EXPN/RCPT, open relays let you spoof mail, and the banner maps to MTA-specific CVEs.
Ports
| Port | Proto | Notes |
|---|---|---|
25 | tcp | SMTP |
465 | tcp | SMTPS |
587 | tcp | Submission |
Fingerprint
- 220 banner names the MTA (Postfix, Exim, Sendmail) + version
- nmap smtp-commands lists supported verbs
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2019-10149 | Exim 'Return of the WIZard' RCE |
| CVE-2021-26577x | Exim 21Nails suite — multiple RCEs |
Exploitation primitives
- Username enumeration with VRFY / EXPN / RCPT TO (build a spray list)
- Open-relay test — spoof internal/phishing mail
- MTA version → CVE (Exim RCEs are devastating)
Overview
SMTP on 25 moves mail. Even unauthenticated, it often confirms valid usernames (great for spraying) and may relay mail; the banner version frequently maps to a serious MTA CVE.
Enumeration
Banner + supported commands:
nmap -p25 --script smtp-commands,smtp-open-relay <TARGET>Manual user check (VRFY):
nc -nv <TARGET> 25VRFY rootAutomated username enumeration (RCPT mode is most reliable):
smtp-user-enum -M RCPT -U /usr/share/seclists/Usernames/names.txt -t <TARGET>Send / spoof mail (open relay or auth)
swaks --to victim@target --from admin@target --server <TARGET> --body "test"Hardening
Disable VRFY/EXPN, lock down relaying, require auth+TLS on submission, and patch the MTA (Exim especially).