Chapter 11. Assessing Email Services
Email services serve and relay email messages across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.
Email Service Protocols
Common ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP are as follows:
smtp 25/tcp pop2 109/tcp pop3 110/tcp imap2 143/tcp submission 587/tcp
SSL-wrapped versions of these mail services are often found running on the following ports:
smtps 465/tcp imaps 993/tcp pop3s 995/tcp
An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Then, standard assessment tools can be used through the SSL tunnel to test the services.
Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.
SMTP Service Fingerprinting
Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain ...