Chapter 10. Assessing Email Services

Email services can relay information across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers can abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.

Email Service Protocols

Here are the common network ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP:

smtp            25/tcp
pop2            109/tcp
pop3            110/tcp
imap2           143/tcp

SSL-enhanced versions of these services exist and are found running on the following ports:

ssmtp           465/tcp
imaps           993/tcp
pop3s           995/tcp

You can use stunnel and standard plaintext assessment tools to test SSL-enhanced services (see Chapter 6). For example, the stunnel tool negotiates and maintains the SSL connection, allowing for plaintext access to the underlying protocol.


Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.

SMTP Service Fingerprinting

Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular ...

Get Network Security Assessment now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.