Chapter 11. Assessing Email Services

Email services serve and relay email messages across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.

Email Service Protocols

Common ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP are as follows:

smtp            25/tcp
pop2            109/tcp
pop3            110/tcp
imap2           143/tcp
submission      587/tcp

SSL-wrapped versions of these mail services are often found running on the following ports:

smtps           465/tcp
imaps           993/tcp
pop3s           995/tcp

An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Then, standard assessment tools can be used through the SSL tunnel to test the services.


Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.

SMTP Service Fingerprinting

Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain ...

Get Network Security Assessment, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.