SMTP is an application layer protocol. The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is always on listening mode. As soon as it listens for a TCP connection from any client, the SMTP process initiates a connection on that port (25). After successfully establishing the TCP connection the client process sends the mail instantly.

Since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.

The SMTP model is of two type :

The end to end model is used to communicate between different organizations whereas the store and forward method are used within an organization. A SMTP client who wants to send the mail will contact the destination’s host SMTP directly in order to send the mail to the destination. The SMTP server will keep the mail to itself until it is successfully copied to the receiver’s SMTP.

User Enumeration

This is a tool for enumerating OS-level user accounts on Solaris via SMTP. Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands.

RCPT TO/EXPN/VRFY:

  1. Identify ourselves using the HELO verb:
HELO tester.localdomain
  1. Then tell the server who the mail will be from using the MAIL FROM: verb:
MAIL FROM: tester@tester.localdomain
  1. Sequentially enumerate potential users using RCPT TO: Valid users return a status code of “250 2.1.5”, whilst code “550 5.1.1” or user unknown message denotes a non-existent user.

Metasploit: auxiliary/scanner/smtp/smtp-enum

auxiliary/scanner/smtp/smtp-enum-vrfy
auxiliary/scanner/smtp/smtp-enum-expn
auxiliary/scanner/smtp/smtp-enum-rcpt