# SMTP - 25

## SMTP Reference

The [Simple Mail Transport Protocol (SMTP)](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) supports several interesting commands, such as VRFY and EXPN. A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list.

[**JAMES SMTP Server**](https://james.apache.org/)

[**James stands for Java Apache Mail Enterprise Server!**](https://en.wikipedia.org/wiki/Apache_James)

[**An open source SMTP and POP3 mail transfer agent and NNTP news server written entirely in Java**](https://github.com/apache/james-project)

Let's continue with SMTP commands. As mentioned earlier, we do not yet have a very large list of usernames to guess. Let's consider what we might try so far:

* `root` : by default
* `beta` : the name of the machine
* `james` : the name of the server, and also an English male name.
* (We could also try variations like Jamie, but we won't go down that road for now.)

  \`\`\`

## Server Connection

```
$ nc -nvC $ip 25
$ telnet $ip 25

EXPN
VRFY <user>
```

## Scanning Vul

```
$ nmap $ip -p 25 --script=smtp-*

$ sudo msfconsole -q -x "setg RHOSTS $ip;
use auxiliary/scanner/smtp/smtp_enum; run;
use auxiliary/scanner/smtp/smtp_relay; run;
use auxiliary/scanner/smtp/smtp_version; run;
exit"
```

## [SMTP Common Commands](https://www.ionos.com/digitalguide/e-mail/technical-matters/smtp/)

```
$ helo admin
$ mail from:<>
$ rcpt to:<nobody>
$ data
leevn
.
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://leecybersec.gitbook.io/oscp/scanning/common-services/smtp-25.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.