Re: How to find out if SMTP mailserver supports STARTTLS or (only) SSL/TLS ?

["Watson, Patrick" <Patrick.Watson () ncr com>]

There are 4 possible states:
Service

STARTTLS

Meaning

smtp

not present

TLS is not supported at all; everything is plain text

smtp

present

TLS is only supported via STARTTLS. The connection begins unencrypted. This is called “Opportunistic TLS”

ssl/smtp

not present

TLS is only supported at the connection level, which begins encrypted. STARTTLS is not supported

ssl/smtp

present

TLS is supported at the connection level, which begins encrypted. You can also issue a STARTTLS command to turn on TLS, 
but that doesn’t make any sense because it’s already on. Thus, you probably won’t see this often in real life.



-- Patrick

From: Ben Stover <bxstover () yahoo co uk>
Date: Thursday, October 26, 2017 at 1:41 AM
To: "Watson, Patrick" <Patrick.Watson () ncr com>
Cc: nmap MailList <dev () nmap org>
Subject: Re: How to find out if SMTP mailserver supports STARTTLS or (only) SSL/TLS ?

Hello Patrick,

thank you for the information.

Just to clarify:

If in the list of reported smtp-commands the tag "STARTTLS" appears then (only) the STARTTLS protocol is valid on this 
port.
If the tag STARTTLS is NOT listed in the output of smtp-commands then (only) SSL/TLS is supported

Correct?

Ben


--Original Message Text---
From: Watson, Patrick
Date: Mon, 23 Oct 2017 16:59:10 +0000

Combining the smtp-commands script with the normal version scanning, you can figure this out.

Using gmail’s SMTP as an example below, I’ve highlighted in yellow the parts you want to pay attention to. Port 465 
uses TLS from the start (aka SMTPS). Port 587 uses STARTTLS to switch from plain text to TLS after connecting.

# nmap -sV -Pn -p 465,587 --version-intensity 8 --script smtp-commands.nse smtp.gmail.com

Starting Nmap 6.47 ( 
https://urldefense.proofpoint.com/v2/url?u=http-3A__nmap.org&d=DwIGaQ&c=gJN2jf8AyP5Q6Np0yWY19w&r=kb9QwPhIkTE-L66gFI1opw&m=s8JxJ-fU_qbm7YH4oBQ8uMUgZAV8ET5iZIDqyV98gvo&s=b0y1xBqw7py4alngGsxcNNnZhSjLufkihM2OWI33OOw&e=
 ) at 2017-10-23 16:49 UTC

Nmap scan report for smtp.gmail.com (74.125.136.108)

Host is up (0.012s latency).

Other addresses for smtp.gmail.com (not scanned): 74.125.136.109

PORT STATE SERVICE VERSION

465/tcp open ssl/smtp Google gsmtp

| smtp-commands: smtp.gmail.com at your service, [73.237.100.36], SIZE 35882577, 8BITMIME, AUTH LOGIN PLAIN XOAUTH2 
PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH, ENHANCEDSTATUSCODES, PIPELINING, CHUNKING, SMTPUTF8,

|_ 2.0.0 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.google.com_search-3FbtnI-26q-3DRFC-2B5321&d=DwIGaQ&c=gJN2jf8AyP5Q6Np0yWY19w&r=kb9QwPhIkTE-L66gFI1opw&m=s8JxJ-fU_qbm7YH4oBQ8uMUgZAV8ET5iZIDqyV98gvo&s=stH4noXGzfFQQu-2spT_vqbo9Qc8yy5lKZ9r0H2X9j8&e=
 j14sm454180ywg.74 - gsmtp

587/tcp open smtp Google gsmtp

| smtp-commands: smtp.gmail.com at your service, [73.237.100.36], SIZE 35882577, 8BITMIME, STARTTLS, 
ENHANCEDSTATUSCODES, PIPELINING, CHUNKING, SMTPUTF8,

|_ 2.0.0 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.google.com_search-3FbtnI-26q-3DRFC-2B5321&d=DwIGaQ&c=gJN2jf8AyP5Q6Np0yWY19w&r=kb9QwPhIkTE-L66gFI1opw&m=s8JxJ-fU_qbm7YH4oBQ8uMUgZAV8ET5iZIDqyV98gvo&s=stH4noXGzfFQQu-2spT_vqbo9Qc8yy5lKZ9r0H2X9j8&e=
 b129sm3894212ywe.99 - gsmtp

Service Info: Host: smtp.gmail.com

Service detection performed. Please report any incorrect results at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__nmap.org_submit_&d=DwIGaQ&c=gJN2jf8AyP5Q6Np0yWY19w&r=kb9QwPhIkTE-L66gFI1opw&m=s8JxJ-fU_qbm7YH4oBQ8uMUgZAV8ET5iZIDqyV98gvo&s=xj0gIqAn0WHjtYs7IMh9n8ML6znv5PNfOegwUl3GWHI&e=
 .

Nmap done: 1 IP address (1 host up) scanned in 19.84 seconds

-- Patrick




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/