Nmap SMTP EHLO Enumeration Lab

SMTP infrastructure remains one of the most critical services in enterprise networks. For network engineers and security professionals, validating SMTP configuration and supported capabilities is an important part of infrastructure auditing.

This lab demonstrates how to use Nmap to enumerate an SMTP server and analyze its EHLO response capabilities.

Lab Objective

The goal of this lab is to:

Identify SMTP services
Enumerate server capabilities via EHLO
Validate authentication mechanisms
Understand how SMTP infrastructure exposes features

This exercise is useful for both infrastructure validation and defensive security assessment.

Step 1 – Identify SMTP Ports

SMTP commonly runs on the following ports:

25 – SMTP
465 – SMTPS
587 – Submission

Run a port scan:

nmap -p 25,465,587 mailserver.example.com

Example output:

PORT    STATE SERVICE
25/tcp  open  smtp
465/tcp open  smtps
587/tcp open  submission

Step 2 – SMTP Service Detection

Use service detection to determine the SMTP implementation.

nmap -sV -p 25 mailserver.example.com

Example output:

25/tcp open smtp Postfix smtpd

This reveals the mail server software.

Step 3 – Enumerate SMTP with Nmap Scripts

Nmap includes scripts designed specifically for SMTP enumeration. Run:

nmap --script smtp-commands -p 25 mailserver.example.com

Example output:

smtp-commands:
Supported commands:
EHLO
HELO
MAIL
RCPT
DATA
QUIT
AUTH
STARTTLS

This reveals what the server accepts.

Step 4 – EHLO Capability Analysis

EHLO is the modern SMTP greeting that reveals server capabilities. Example manual connection:

telnet mailserver.example.com 25

Then type:

EHLO testdomain.com

Example response:

250-mailserver.example.com
250-PIPELINING
250-SIZE 52428800
250-STARTTLS
250-AUTH LOGIN PLAIN
250 HELP

These capabilities show:

PIPELINING – multiple commands allowed
SIZE – maximum message size
STARTTLS – encryption supported
AUTH – authentication mechanisms

Step 5 – Nmap NSE Script for EHLO

You can automate capability enumeration using:

nmap --script smtp-enum-users -p 25 mailserver.example.com

Or run multiple scripts:

nmap --script smtp* -p 25 mailserver.example.com

This allows deeper inspection of the mail service.

Why This Matters for Infrastructure Security

EHLO responses can reveal:

Authentication methods
Encryption support
Mail server software
Configuration weaknesses

In enterprise environments, SMTP auditing helps identify:

Weak authentication mechanisms
Unencrypted mail submission
Misconfigured relays
Exposed internal infrastructure

Defensive Engineering Perspective

From a defensive standpoint, infrastructure engineers should verify:

STARTTLS is enabled
AUTH mechanisms are restricted
Open relay is disabled
SMTP banners reveal minimal information

Routine scanning with Nmap can help maintain proper mail server hygiene.

Conclusion

SMTP enumeration using Nmap provides valuable insight into mail server configuration. Understanding EHLO responses helps engineers validate infrastructure security and ensure that email services are properly hardened. For network and systems engineers responsible for enterprise infrastructure, tools like Nmap remain essential for maintaining operational visibility.