Chapter 10. Assessing Email Services
Email services can relay information across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers can abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.
Email Service Protocols
Here are the common network ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP:
smtp 25/tcp pop2 109/tcp pop3 110/tcp imap2 143/tcp
SSL-enhanced versions of these services exist and are found running on the following ports:
ssmtp 465/tcp imaps 993/tcp pop3s 995/tcp
You can use stunnel and standard plaintext assessment tools to test SSL-enhanced services (see Chapter 6). For example, the stunnel tool negotiates and maintains the SSL connection, allowing for plaintext access to the underlying protocol.
Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.
SMTP Service Fingerprinting
Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular ...