# SMTP - 25
| Port | Service |
| ------- | ----------------- |
| TCP/25 | SMTP Unencrypted |
| TCP/143 | IMAP4 Unencrypted |
| TCP/110 | POP3 Unencrypted |
| TCP/465 | SMTP Encrypted |
| TCP/993 | IMAP4 Encrypted |
| TCP/995 | POP3 Encrypted |
### Telnet
```bash
# to interact with smtp server
telnet ip 25
# HELO/EHLO
HELO mail1.nothing.htb
EHLO mail1.nothing.htb
# VRFY - can be used to enumerate existing users on the system
VRFY root
# EXPN - when used with a distribution list, it will list all users on that list
EXPN john
# USER - we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.
USER Eren
# find all SMTP error codes here :
# Send an Email
EHLO nothing.htb
MAIL FROM:
RCPT TO:
DATA
QUIT
```
### Nmap
```bash
# nmap scan for SMTP
nmap ip -sC -sV -p25
# nmap open relay scan
nmap ip -p25 --script smtp-open-relay -v
#
swaks --from notifications@something.com --to employees@something.com --header 'Subject: Company Notification' --body 'Hi All, Please complete the following survey. ' --server ip
```
### Brute force users
```bash
# smtp-user-enum tool
smtp-user-enum -M VRFY -U user.txt -t ip
# with domain
smtp-user-enum -M RCPT -U userlist.txt -D nothing.htb -t ip
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://strange-1.gitbook.io/notes/enumeration/smtp-25.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.