Simple Mail Transfer Protocol (SMTP) with Wireshark

Introduction to SMTP

The Simple Mail Transfer Protocol (SMTP) is one of three protocols used for email. The other two are Post Office Protocol v3 (POP3) and Internet Message Access Protocol (IMAP). 

SMTP is one of several internet protocols that are designed to be plaintext and ASCII printable. This means that traffic sent over SMTP is visible and easily readable by eavesdroppers. When running in plaintext mode, SMTP uses port 25. Port 587 is the official port that should be used by SMTP clients submitting traffic to be routed by a mail server.

However, using traffic that is easily readable by eavesdroppers is not a good idea for email. As a result, SMTP traffic can be encrypted using Transport Layer Security (TLS). The officially accepted way to use TLS with SMTP is to use port 25 and send a STARTTLS message to indicate the beginning of TLS usage. However, port 465 was historically used for encrypted SMTP and some implementations use this.

Whether you use an email server hosted on-premises or a webmail service like Gmail or O365, there is a decent chance that SMTP is being used somewhere behind the scenes. Google and other services maintain SMTP mail servers, allowing users to interact with them programmatically. For example, a Google mail server can be reached by using Telnet to connect to gmail-smtp-in.l.google.com on port 25.

SMTP in Wireshark

SMTP traffic can be filtered in Wireshark using the built-in smtp filter. Alternatively, users can filter for ports commonly used in SMTP traffic (i.e., 25, 587 and 465).

SMTP is a text-based protocol designed to be limited to printable ASCII characters. This is accomplished using a request-response structure. As shown in the image above, an SMTP request consists of a command followed by a set (Read more...)