ArticleThis page gives a quick summary of the major commands and command sequence used by the SMTP Protocol to transfer email.
Normally a SMTP mail server listens for connections on port TCP/25, and the SMTP protocol is a plain text conversation. So it means that it is possible to telnet to port 25 on a system and manually enter SMTP commands. This is useful for two things, manually testing a sendmail configuration and forging email.

For what ever reason you want to enter SMTP commands manually, here is how to do so.

SMTP Commands Descriptions
HELO sendinghostname This command initiates the SMTP conversation. The host connecting to the remote SMTP server identifies itself by it's fully qualified DNS host name.
EHLO sendinghostname An alternative command for starting the conversation. This states that the sending server wants to use the extended SMTP (ESMTP) protocol.
MAIL From:<source email address> This is the start of an email message. The source email address is what will appear in the "From:" field of the message.
As per RFC description the address must be enclosed by "<" and ">" without any space (you can use "_" or ".") and can be prepand by a free text in double-quote.
RCPT To:<target email address> This identifies the receipient of the email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple receipients.
As per RFC description the address must be enclosed by "<" and ">", without any space (you can use "_" or ".") and can be prepand by a free text in double-quote.
SIZE=numberofbytes The size command tells the remote sendmail system the size of the attached message in bytes. If ommited, mail readers and delivery agents will try to determine the size of a message based on indicators such as them being terminated by a "." on a line by themselves and headers being sent on a line separated from body text by a blank line. But these methods get confused when you have headers or header like information embedded in messages, attachements, etc.
DATA This command signifies that a stream of data, ie the email message body, will follow. The stream of data is terminated by a "." on a line by itself.
QUIT This terminates an SMTP connection. Multiple email messages can be transfered during a single TCP/IP connection. This allows for more efficient transfer of email. To start another email message in the same session, simply issue another "MAIL" command.
VRFY username This command will request that the receiving SMTP server verify that a given email username is valid. The SMTP server will reply with the login name of the user. This feature can be turned off in sendmail because allowing it can be a security hole. VRFY commands can be used to probe for login names on a system. See the security section below for information about turning off this feature.
EXPN aliasname EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the "VRFY" command since sites often have an alias such as "all".
STARTTLS Try to activate/negociate a secure connection with TLS protocol (using SSL certificate) to encrypt the transmission (secure tunnel), not to encrypt the mail content (use "PGP" or similar features instead).
Subject:
Cc:
Reply-To:
Email header lines are not SMTP commands per se. They are sent in the DATA stream for a message. Header lines appear on a line by themselves, and are seperated from the body of a message by a blank line.


More Details


For example, on the machine "myhost.domain.abc", I want to send email to "This email address is being protected from spambots. You need JavaScript enabled to view it.".
I run the following commands to connect to the SMTP server on "domain.xyz":
 

Quick Test:
A quick test to send a simple SMTP mail by using Telnet (port 25):

TELNET smtp.domain.xyz 25
EHLO myhost.domain.abc
MAIL FROM:
RCPT TO:
DATA
From:
To:
Subject: Test Mail

Hello World !
.
QUIT

Examples

#1) Normal SMTP session:

   C: TELNET smtp.domain.xyz 25
S: 220 smtp.domain.xyz ESMTP Postfix
C: EHLO myhost.domain.abc
S: 250 smtp.domain.xyz
S: 250 PIPELINING
S: 250 SIZE 10240000
S: 250 ETRN
S: 250 8BITMIME
C: MAIL FROM:
 S: 250 Ok
C: RCPT TO:
 S: 250 Ok
C: DATA
S: 354 End data with .
...
C: .
S: 250 Ok: queued as 0E3EA1D216
C: QUIT
S: 221 Bye

#2) Consider the following SMTP dialogue that does not use "pipelining" (send multiple commands and reply later):

   C: TELNET smtp.domain.xyz 25
S: 220 smtp.domain.xyz SMTP service ready
C: HELO myhost.domain.abc
S: 250 smtp.domain.xyz
  C: MAIL FROM:
S: 250 sender OK
C: RCPT TO:
S: 250 recipient OK
C: RCPT TO:
S: 250 recipient OK
C: RCPT TO:
S: 250 recipient OK
C: DATA
S: 354 enter mail, end with line containing only "."
...
C: .
S: 250 message sent
C: QUIT
S: 221 goodbye

#3) The client waits for a server response a total of 9 times in this simple example. But if "pipelining" is employed the following dialogue is possible:

   C: TELNET smtp.domain.xyz 25
S: 220 domain.xyz SMTP service ready
C: EHLO domain.abc
 S: 250 domain.xyz
 S: 250 PIPELINING
C: MAIL FROM:
C: RCPT TO:
C: RCPT TO:
C: RCPT TO:
C: DATA
S: 250 sender OK
S: 250 recipient OK
S: 250 recipient OK
S: 250 recipient OK
S: 354 enter mail, end with line containing only "."
...
C: .
C: QUIT
S: 250 message sent
S: 221 goodbye

The total number of turnarounds has been reduced from 9 to 4.

#4) The next example illustrates one possible form of behavior when "pipelining" is used and all recipients are rejected:

   C: TELNET smtp.domain.xyz 25
S: 220 domain.xyz SMTP service ready
C: EHLO domain.abc
 S: 250 domain.xyz
S: 250 PIPELINING
C: MAIL FROM:
C: RCPT TO:
C: RCPT TO:
C: DATA
S: 250 sender OK
S: 550 remote mail to not allowed
S: 550 remote mail to not allowed
S: 554 no valid recipients given
C: QUIT
S: 221 goodbye

The client SMTP waits for the server 4 times here as well.

#5) If the server SMTP does not check for at least one valid recipient prior to accepting the DATA command, the following dialogue would result:

C: TELNET smtp.domain.xyz 25
S: 220 domain.xyz SMTP service ready
C: EHLO domain.abc
S: 250 domain.xyz
S: 250 PIPELINING
C: MAIL FROM:
C: RCPT TO:
C: RCPT TO:
C: DATA
S: 250 sender OK
S: 550 remote mail to not allowed
S: 550 remote mail to not allowed
S: 354 enter mail, end with line containing only "."
C: .
C: QUIT
S: 554 no valid recipients
S: 221 goodbye

The message text that would follow the "DATA" command is not displayed, but the message text would be sent in a readable form as plain-text, and encoded for binhex or mime attachments. The other lines are reply output from the remote SMTP server. These messages include status responses and protocol information such as size limits for messages, and prefered attachment formats.

Note that according to the SMTP server welcome answer  it can tell me that he is willing to speak ESMTP or SMTP protocol.
So you will detect if you can send an EHLO rather than an HELO.
Also note that the "smtp.domain.xyz" SMTP server identifies itself as a "Postfix" server. Postfix is an alternative SMTP server that performs the same tasks as "sendmail". Other SMTP server implementations include Lotus's Domino (aka Notes Server) and Microsoft's Exchange.

  ESMTP => 220 smtp.domain.xyz ESMTP Postfix   => Use "EHLO" for Extendded SMTP commands
  SMTP =>  220 domain.xyz SMTP service ready  => Use "HELO" for basic SMTP commands

Security Information:

Please keep in mind that the VRFY and EXPN commands can expose user information to people by probing a system in preparation for an attack. This behavior can be turned off.
To limit relaying, when an intermediate server is used to send mail to a target domains.
To prevent this we recommend going to the site www.sendmail.org and looking at the Anti-Spam / Anti-relay features available to Sendmail.

SMTP - Problem FW Cisco Pix - "fixup protocol SMTP (tcp/25)" activated:

   S: telnet smtp.domain.xyz 25
C: 220 **********************************************************
S: ehlo hosts.domain.abc
C: 500 5.3.3 Unrecognized command or
C: 500 syntax error, command "XXXX XXXXXX" unrecognized

Important: on Cisco Pix FW the "Fixup protocol SMTP 25" or "Inspect ESMTP Protocol" are entended to allow only basic SMTP commands (for basic security), but it is causing trouble when using "Extended SMTP (ESMTP)" instructions (when using "EHLO" command as Lotus Notes does).
=> Network Admin must turn off the parameter on FW to avoid the restriction of the SMTP commands to ensure that the extended
SMTP commands are transmitted unchanged (no limitation).
/!\ This parameter is [Enabled] by default on Cisco Pix FW.
=> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml
=> http://www.zimbra.com/forums/users/1937-smtp-authentication-pix-firewall.html
=> http://www.cisco.com/warp/public/707/cisco-sa-20000927-pix-firewall-smtp-filter.shtml