SMTP Pentest Guide

Securing SMTP Servers

Understanding how to secure SMTP servers is essential for both penetration testers and system administrators. This page provides comprehensive guidance on hardening SMTP servers against the vulnerabilities discussed throughout this guide [^4].

The best penetration testers understand both offensive and defensive aspects of security. Knowing how to properly secure SMTP servers will make you more effective at testing them.

Secure SMTP Configuration

Proper configuration is the foundation of SMTP security. These recommendations address the most common configuration vulnerabilities [^4].

Preventing Open Relay in Postfix

Configure Postfix to prevent unauthorized relaying

# Edit /etc/postfix/main.cf\n\nsmtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination\n\n# Define trusted networks\nmynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24\n\n# Restart Postfix\nsystemctl restart postfix
Explanation: This configuration restricts mail relaying to authenticated users and trusted networks only. The 'defer_unauth_destination' parameter rejects relay attempts that don't meet these criteria. The 'mynetworks' parameter defines trusted IP ranges that can relay without authentication [^4].

Disabling Dangerous SMTP Commands

Restrict unnecessary SMTP commands to reduce attack surface

# For Postfix, edit /etc/postfix/main.cf\n\n# Disable VRFY command\ndisable_vrfy_command = yes\n\n# Limit information in banners\nsmtpd_banner = $myhostname ESMTP\n\n# Restart Postfix\nsystemctl restart postfix
Explanation: The VRFY command can be used for user enumeration. Disabling it prevents attackers from validating email addresses. Minimizing information in SMTP banners reduces information disclosure about your mail server software and version [^4].

Implementing Rate Limiting

Prevent abuse through connection and sending limits

# For Postfix, edit /etc/postfix/main.cf\n\n# Limit concurrent connections from a single IP\nsmtpd_client_connection_rate_limit = 10\n\n# Limit recipients per message\nsmtpd_recipient_limit = 25\n\n# Limit message size\nmessage_size_limit = 10240000\n\n# Restart Postfix\nsystemctl restart postfix
Explanation: Rate limiting helps prevent abuse of your SMTP server. These settings limit how many connections a single IP can make, how many recipients can be specified in a single message, and the maximum size of messages. This helps mitigate DoS attacks and mass mailing attempts [^4].

Additional Configuration Recommendations

  • Run SMTP services with least privilege - Use dedicated non-root users
  • Implement proper DNS records - Configure reverse DNS for your mail servers
  • Use separate mail submission and relay servers - Segregate different SMTP functions
  • Implement proper queue management - Set appropriate timeouts and retry limits
  • Keep software updated - Regularly apply security patches to mail server software

Email Authentication Standards

Implementing email authentication standards helps prevent email spoofing and phishing attacks [^4].

SPF (Sender Policy Framework)

SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.

example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 mx -all"

This example authorizes the IP range 192.0.2.0/24, the specific IP 198.51.100.123, and the domain's MX servers to send mail. The "-all" means any other servers are not authorized.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to emails, allowing receiving servers to verify that the message was not altered in transit.

selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

This DNS record publishes the public key used for verifying DKIM signatures. The selector allows for multiple keys per domain.

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM, allowing domain owners to specify how to handle emails that fail authentication.

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"

This policy tells receiving servers to reject emails that fail DMARC checks and send aggregate reports to dmarc@example.com. The policy applies to 100% of messages.

Defense in Depth Strategy

A comprehensive SMTP security strategy employs multiple layers of protection [^4]:

  1. Network Security - Firewalls, network segmentation, and access controls
  2. Server Hardening - Secure configuration, minimal services, regular updates
  3. Authentication - Strong authentication mechanisms and access controls
  4. Encryption - TLS for transport security
  5. Content Filtering - Spam and malware filtering
  6. Email Authentication - SPF, DKIM, and DMARC implementation
  7. Monitoring and Logging - Comprehensive logging and anomaly detection
  8. Incident Response - Procedures for handling security incidents

Regular Security Testing

Even with all these security measures in place, regular security testing is essential to identify and address new vulnerabilities [^4]:

  • Conduct regular vulnerability scans of SMTP infrastructure
  • Perform periodic penetration tests using the techniques described in this guide
  • Test email authentication mechanisms to ensure proper implementation
  • Verify TLS configuration using tools like SSLyze
  • Review logs and monitoring systems to ensure they're capturing necessary information
  • Conduct tabletop exercises to test incident response procedures
Return to Home