SMTP (Simple Mail Transfer Protocol) Service Enumeration

SMTP (Simple Mail Transfer Protocol)

At a Glance

Default Ports

  • SMTP Relay (server-server communication): 25
  • SMTP Message Submission (client-server communcation): 578
  • SMTPS (Deprecated): 465

SMTP is a communication protocol for email transmission. It is commonly used to relay and submit messages to another email servers.

SMTP is a delivery protocol only. Meaning mail is “pushed” to a destination mail server, or next-hop server, as it arrives. Mail is routed based on the destination server, not individual users to which it is addressed. Other protocols, such as the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP) are specifically designed for use by individual users retrieving messages and managing mailboxes. 1

Communication between sender and receiver is made by issuing command strings. See SMTP commands reference.



telnet 25


nc -n 25


openssl 2

openssl s_client -starttls smtp -crlf -connect
  • s_client: SSL/TLS client program.
  • -starttls <protocol>: send the protocol-specific message(s) to switch to TLS for communication.
  • -crlf: translate a line feed from the terminal into CR+LF.


smtp-commands NSE Script

nmap -p 25,465,587 --script smtp-commands

smtp-enum-users NSE Script

nmap -p 25,465,587 --script smtp-enum-users

NTLM Information Disclosure

On Windows, with NTLM authentication enabled, sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version. 3 4


telnet 587
250 Hello [x.x.x.x]
NTLM supported

smtp-ntlm-info NSE Script

nmap -p 587 --script smtp-ntlm-info --script-args


HELO        Identify to the SMTP server.
EHLO        Alternative HELO for Extended SMTP protocol.
MAIL FROM:  Sender's email address.
RCPT TO:    Recipient's email address.
DATA        Initiate message content transfer. Command is terminated with a line containing only a .
RSET        Reset the session. Connection will not be closed.
VRFY        Verify username or mailbox.
NOOP        No-op. Keeps connection open.
QUIT        Ends session.

Note: Sessions must start with HELO and end with QUIT.

Refer to Exploits Search

Configuration files

  1. “RFC 5321 - Simple Mail Transfer Protocol.” IETF Tools, ↩︎

  2. OpenSSL Foundation, Inc. “/Docs/Manmaster/Man1/Openssl.Html.” OpenSSL.Org, ↩︎

  3. “Smtp-Ntlm-Info NSE Script.” Nmap: The Network Mapper - Free Security Scanner, ↩︎

  4. m8r0wn. “Internal Information Disclosure Using Hidden NTLM Authentication | by M8r0wn | Medium.” Medium, Medium, 9 Mar. 2020, ↩︎