Home Articles Articles Reference : SMTP Commands
Reference : SMTP Commands Print E-mail
Written by Administrator   
Thursday, 10 March 2005 12:20

ArticleThis page gives a quick summary of the major commands and command sequence used by the SMTP Protocol to transfer email. In Unix, the "sendmail" program listens for connections on port 25, and the SMTP protocol is a plain text conversation. This means that it is possible to telnet to port 25 on a system and manually enter SMTP commands. This is useful for two things, manually testing a sendmail configuration, and forging email.

One unfortunate, but at times entertaining feature of sendmail is that it is trivial to generate forged email for older sendmail configurations. Newer sendmail features make it possible to perform some sanity checking on the sender of email. You can make sure that at least the sending machine is who they say they are via reverse DNS queries. But there is nothing to prevent the SOA DNS server for an address range from providing bogus reverse name information. The additional step of doing a second IP address look up to verify that the IP address returned in a name to IP lookup matches the IP address that made the connection in the first place. See the security section below for more information.

For what ever reason you want to enter SMTP commands manually, here is how to do so.

SMTP Commands Descriptions
HELO sendinghostname This command initiates the SMTP conversation. The host connecting to the remote SMTP server identifies itself by it's fully qualified DNS host name.
EHLO sendinghostname An alternative command for starting the conversation. This states that the sending server wants to use the extended SMTP (ESMTP) protocol.
MAIL From:<source email address> This is the start of an email message. The source email address is what will appear in the "From:" field of the message.
RCPT To:<destination email address> This identifies the receipient of the email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple receipients.
SIZE=numberofbytes The size command tells the remote sendmail system the size of the attached message in bytes. If ommited, mail readers and delivery agents will try to determine the size of a message based on indicators such as them being terminated by a "." on a line by themselves and headers being sent on a line separated from body text by a blank line. But these methods get confused when you have headers or header like information embedded in messages, attachements, etc.
DATA This command signifies that a stream of data, ie the email message body, will follow. The stream of data is terminated by a "." on a line by itself.
QUIT This terminates an SMTP connection. Multiple email messages can be transfered during a single TCP/IP connection. This allows for more efficient transfer of email. To start another email message in the same session, simply issue another "MAIL" command.
VRFY username This command will request that the receiving SMTP server verify that a given email username is valid. The SMTP server will reply with the login name of the user. This feature can be turned off in sendmail because allowing it can be a security hole. VRFY commands can be used to probe for login names on a system. See the security section below for information about turning off this feature.
EXPN aliasname EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the "VRFY" command since sites often have an alias such as "all".
Subject:
 Cc:
Reply-To:		 Email header lines are not SMTP commands per se. They are sent in the DATA stream for a message. Header lines appear on a line by themselves, and are seperated from the body of a message by a blank line.

Quick Test

A quick test to send a simple SMTP mail when using Telnet (port 25):

EHLO myhost.domain.abc
MAIL FROM:<user @ domain.abc>
RCPT TO:<user @ domain.xyz>
DATA
Subject: Test Mail

Hello World !
.
QUIT

More Details

The chat sequence (history) used by Sendmail to deliver mail can be shown by running sendmail manually at the command line with a "-v" parameter.
For example, on the machine "myhost.domain.abc", I want to send email to "someuser @ domain.xyz". I run the following commands to make sendmail on my system connect to the SMTP server for "domain.xyz" :

Examples
   S: <wait for open connection>
   C: <open connection to server>
   S: 220 smtp.domain.xyz ESMTP Postfix
   C: EHLO myhost.domain.abc
   S: 250 smtp.domain.xyz
   S: 250 PIPELINING
   S: 250 SIZE 10240000
   S: 250 ETRN
   S: 250 8BITMIME
   C: MAIL From:<mrose @ domain.abc>
   S: 250 Ok
   C: RCPT To:<someone @ domain.xyz>
   S: 250 Ok
   C: DATA
   S: 354 End data with .
    ...
   C: .
   S: 250 Ok: queued as 0E3EA1D216
   C: QUIT
   S: 221 Bye

Consider the following SMTP dialogue that does not use pipelining:

   S: <wait for open connection>
   C: <open connection to server>
   S: 220 smtp.domain.xyz SMTP service ready
   C: HELO myhost.domain.abc
   S: 250 smtp.domain.xyz
   C: MAIL FROM:<mrose @ domain.abc>
   S: 250 sender <mrose @ domain.abc> OK
   C: RCPT TO:<ned @ domain.xyz>
   S: 250 recipient <ned @ domain.xyz> OK
   C: RCPT TO:<dan @ domain.xyz>
   S: 250 recipient <dan @ domain.xyz> OK
   C: RCPT TO:<kvc @ domain.xyz>
   S: 250 recipient <kvc @ domain.xyz> OK
   C: DATA
   S: 354 enter mail, end with line containing only "."
    ...
   C: .
   S: 250 message sent
   C: QUIT
   S: 221 goodbye

The client waits for a server response a total of 9 times in this simple example. But if pipelining is employed the following dialogue is possible:

   S: <wait for open connection>
   C: <open connection to server>
   S: 220 domain.xyz SMTP service ready
   C: EHLO domain.abc
   S: 250 domain.xyz
   S: 250 PIPELINING
   C: MAIL FROM:<mrose @ domain.abc>
   C: RCPT TO:<ned @ domain.xyz>
   C: RCPT TO:<dan @ domain.xyz>
   C: RCPT TO:<kvc @ domain.xyz>
   C: DATA
   S: 250 sender <mrose @ domain.abc> OK
   S: 250 recipient <ned @ domain.xyz> OK
   S: 250 recipient <dan @ domain.xyz> OK
   S: 250 recipient <kvc @ domain.xyz> OK
   S: 354 enter mail, end with line containing only "."
    ...
   C: .
   C: QUIT
   S: 250 message sent
   S: 221 goodbye

The total number of turnarounds has been reduced from 9 to 4.

The next example illustrates one possible form of behavior when pipelining is used and all recipients are rejected:

   S: <wait for open connection>
   C: <open connection to server>
   S: 220 domain.xyz SMTP service ready
   C: EHLO domain.abc
   S: 250 domain.xyz
   S: 250 PIPELINING
   C: MAIL FROM:<mrose @ domain.abc>
   C: RCPT TO:<nsb @ domain.def>
   C: RCPT TO:<galvin @ domain.ghi>
   C: DATA
   S: 250 sender <mrose @ domain.abc> OK
   S: 550 remote mail to <nsb @ domain.def> not allowed
   S: 550 remote mail to <galvin @ domain.ghi> not allowed
   S: 554 no valid recipients given
   C: QUIT
   S: 221 goodbye

The client SMTP waits for the server 4 times here as well. If the server SMTP does not check for at least one valid recipient prior to accepting the DATA command, the following dialogue would result: 
   S: <wait for open connection>
   C: <open connection to server>
   S: 220 domain.xyz SMTP service ready
   C: EHLO domain.abc
   S: 250 domain.xyz
   S: 250 PIPELINING
   C: MAIL FROM:<mrose @ domain.abc>
   C: RCPT TO:<nsb @ domain.def>
   C: RCPT TO:<galvin @ domain.ghi>
   C: DATA
   S: 250 sender <mrose @ domain.abc> OK
   S: 550 remote mail to <nsb @ domain.def> not allowed
   S: 550 remote mail to <galvin @ domain.ghi> not allowed
   S: 354 enter mail, end with line containing only "."
   C: .
   C: QUIT
   S: 554 no valid recipients
   S: 221 goodbye

The message text that would follow the "DATA" command is surpressed in the "-v" output of sendmail, but in the actual interaction, the messge text would be sent in a readable form for plain text, and encoded for binhex or mime attachments. The lines other lines are reply output from the remote SMTP server. These messages include status responses and protocol information such as size limits for messages, and prefereed attachment formats.

Note that the SMTP server at Pobox.com tells me that he is willing to speak ESMTP protocol, so my sendmail program sends an EHLO rather than an HELO. Also note that the "domain.xyz" SMTP server identifies itself as a "Postfix" server. Postfix is an alternative SMTP server that performs the same tasks as "sendmail". Other SMTP server implementations include Lotus's Domino (aka Notes Server) and Microsoft's Exchange.

Security Information:

As I mentioned earlier, the VRFY and EXPN commands can expose user information to people probing a system in preparation for an attack. This behavior can be turned off by using the following flag in the sendmail.cf file:

O PrivacyOptions=goaway

To limit relaying, I recommend going to the site www.sendmail.org and looking at the Anti-Spam / Anti-relay features available to Sendmail.

Email this
Hits: 27994
Comments (0)Add Comment
feedSubscribe to this comment's feed
min/maxShow/hide comments

Write comment
feedShow/hide comment form
You must be logged in to post a comment. Please register if you do not have an account yet.

busy
< Prev   Next >
Last Updated on Tuesday, 06 December 2005 14:29