Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 8 - Port 25 - SMTP

Published: 2009-10-08
Last Updated: 2009-10-08 16:13:51 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

My personal favorite port is port 53, but well, it was already taken. So I am going to cover port 25, my least favorite port :)

Port 25 is used by mail servers to receive e-mail. E-mail in itself is of course a mixed blessing. Spam levels in the 90% range make it a less and less useful business tools. There is a lot of history involved here, and SMTP wasn't the first "E-Mail" protocol. Before SMTP became popular, protocols like UUCP (Unix-to-Unix-CoPy) were used to exchange email. SMTP in some ways extends these older protocols and inherited some of the properties.

For a full description of SMTP, start with RFC821 (http://www.faqs.org/rfcs/rfc821.html). But RFC821 is just the start. Later RFCs expand on it substantially and you will need to understand them to fully appreciate how today's e-mail servers work. Let me try to assemble a quick SMTP primer here.

First of all, the mail client will connect to the mail server, the mail server will identify itself with a line like:

220 mailserver.example.com ESMTP Postfix

The number in the beginning is the important part, the rest is mostly ignored. "220" means the service is ready to receive your spam. Next the client has to identify itself. There are two ways this may happen. The old way (RFC821) is to send a "HELO" message like:

HELO mailclient.example.com

However, modern clients will typically use "EHLO" instead of "HELO". EHLO is defined in RFC 1869. Sending an "EHLO" will signal to the server that your client understands the extensions defined in RFC 1869.

The servers response to a HELO or EHLO will be a "250" code (if there wasn't an error).

250 zimbra.den.giac.net

For an EHLO, additional '250' lines will be returned listing the capabilities of the server. At this point, we do have an established connection and are able to send our first e-mail. The e-mail itself consists of 3 parts:

- an envelope. This is typically not part of the e-mail, but indicated the From and To address to the mail server. The From and To address in the envelope can be different from the From and To address used in the header of the message

- a header. The header includes typically a Subject/From/To and other fields.

- a body. Delimited from the header by an empty line you will find the body of the message.

But well, you probably knew all of that. Lets talk about a few more interesting features:

STARTTLS: This scheme, if both sites support it, can be used to negotiate an SSL connection on the fly. RFC 2487 will tell you more about it. But here the details: The connection starts as outlined above. But after the initial EHLO/250 exchange, the client will send a STARTTLS command. This will lead to an SSL connection being established. The SSL certificate may be used for authentication purposes as well as encryption in this case.

Message Submission: RFC 2476 outlines a new method to submit messages which is widely implemented. The basic idea is to distinguish between message forwarding, and injection new messages ("message submission"). RFC 2476 suggests the use of TCP Port 587 to submit messages.

Non Delivery Receipts: This is a sore point in many mail server configurations. There are two ways to indicate that a message is not deliverable. As the server receives the envelope, it will check the "To" address, and reply with an error message before accepting the e-mail. This is preferred as it cuts down on network traffic and non-delivery receipts beind sent to the wrong people later. However, it requires that the mail server knows all the users that are deliverable. For a simple relay server, this can be hard to figure out at times.

lots more to tell you about SMTP, port 25 and why I don't like e-mail. But maybe that will be a later diary.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: email port 25 smtp spam
1 comment(s)
Diary Archives