The SMTP (Simple Mail Transfer Protocol) is an Internet standard communication protocol for electronic mail transmission. Most of mail servers use SMTP protocol to send/receive email messages. Most email clients available today uses SMTP only for relaying messages to another mail server. But Mail client software on your desktop/laptop/electronic devices uses IMAP/POP3 to pull emails from its servers. So in simple terms SMTP is to communicate between/among Mail Server(s) to Mail Server(s). SMTP is implemented upon TCP (Transmission Control Protocol)
To clear out confusion, SMTP is a delivery protocol only. It pushes a mail to destination mail server (either on port 587 or 465). For example, if a user sends a mail to xyz@example.com then email is pushed to example.com:587 (or 465). Then it’s responsibility of example.com mail server to put it in mailbox of xyz user.
Now when xyz opens its mailbox, the software (Mail, Outlook etc), pulls/retrieved mailbox using POP(Post Office Protocol)/IMAP (Internet Message Access Protocol). So SMTP is protocol of communication among mail servers.
Connecting to SMTP
Let us see it in working, fireup a terminal window (preferred CLI) and type in following command
telnet <smtp_server> <port>
Here <smtp_server> is name or IP address of the SMTP server we are testing and <port> is PORT number the SMTP server is using (default is 25). For example, to test a connection to one of Google’s mail servers, type in
telnet gmail-smtp-in.l.google.com 25
If connection is successful, one will see a 220 response with the name of the mail server. Type quit and to close the connection.
Wireshark
To intercept and inspect packets, we are going to use WireShark utility. Please install Wireshark and Telnet Client if you already do not have one for OS archtype being used.
Inspecting SMTP traffic
Assuming WireShark and Telnet client is downloaded and installed. Fire up Wireshark instance and click on capture tab. Now open a Terminal window and type in
telnet gmail-smtp-in.l.google.com 25
If this does not work, your ISP may be blocking outbound traffic on port 25. You can try telnet smtp.gmail.com 587 instead to generate some SMTP traffic. Now observe the server response.
Now type in hello and observer server response. Note that at this point one could enter mail, rcpt and data to send an SMTP message, but this only works on servers configured to allow clear text relay without authentication (that most servers are not now a days); that it is not since we are using 587 port for encrypted messages
- Type
quitto close the connection. - Observe the server response.
- Stop the Wireshark capture now.
- Observe the traffic captured in the top Wireshark packet list pane.
- To view only SMTP traffic, type
smtp(lower case) in the Search box. - Select the first SMTP packet labeled 220 ….
- Observe the destination IP address. To view all related traffic for this connection, change the filter to
ip.addr == <destination>, where<destination>is the destination address of the SMTP packet.
Analysing TCP Traffic
We have already generated some traffic for WireShark to capture. Now next we are going to see transaction done via SMT Protocol. First we observe handshake between source and destination server. To do that follow these steps
- Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake.
- Select the first packet. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and the source should be your MAC address. You can use
ipconfig /allandarp -ato confirm. - Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the SMTP server.
- Expand Transmission Control Protocol to view TCP details. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
- Observe the Destination port. Notice that it is SMTP (port 25). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and PORT numbers.
Analysing SMTP Service Ready Traffic
We have already analysed first three packets that has generated TCP handshake. Now we would looking at packet for Service Readiness. For this please select fourth packet
- This first SMTP packet and labeled 220 ….
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed above.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details. Observe the Response code and Response parameter.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fifth packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Service Ready message.
Analysing our HELLO message Traffic
So far so great, we have seen first SMTP packet. Now next is to analyse packet that took our message hello to the server and then susequent quit message
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the
hellomessage. The sequence ends with a Wireshark-combined SMTP clienthellomessage, followed by a server acknowledgement via TCP. - Select the following SMTP packet, labeled 250 …
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details.
- Observe the Response code and Response parameter.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the
quitmessage. The sequence ends with a Wireshark-combined SMTP clientquitmessage, followed by a server TCP acknowledgement.
Analysing SMTP Closing Traffic
Yay! we have inspected all packets we sent using SMTP and gained knowledge on how SMTP work, now we are going to see after quit message how SMTP closes its connection(s)
- Select the SMTP packet, labeled 221 …
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details.
- Observe the Response code and Response parameter.
- Close Wireshark to complete this activity.
This is it for today for working of SMTP protocol step-by-step guide. Networking is interesting though, to new generation it seems trivial; but one should know how system works under the hood. The more knowledge one has, more one can leverage technology at advanced level (even when there is a lot of abstractions).
About The Author
I am Pankaj Baagwan, a System Design Architect. A Computer Scientist by heart, process enthusiast, and open source author/contributor/writer. Advocates Karma. Love working with cutting edge, fascinating, open source technologies.
To consult Pankaj Bagwan on System Design, Cyber Security and Application Development, SEO and SMO, please reach out at me[at]bagwanpankaj[dot]com
For promotion/advertisement of your services and products on this blog, please reach out at me[at]bagwanpankaj[dot]com
Stay tuned <3. Signing off for RAAM