SMTP Commands

This page gives a quick summary of the major commands and command sequence used by the SMTP Protocol to transfer email. In Unix, the "sendmail" program listens for connections on port 25, and the SMTP protocol is a plain text conversation. This means that it is possible to telnet to port 25 on a system and manually enter SMTP commands. This is useful for two things, manually testing a sendmail configuration, and forging email.

One unfortunate, but at times entertaining feature of sendmail is that it is trivial to generate forged email for older sendmail configurations. Newer sendmail features make it possible to perform some sanity checking on the sender of email. You can make sure that at least the sending machine is who they say they are via reverse DNS queries. But there is nothing to prevent the SOA DNS server for an address range from providing bogus reverse name information. The additional step of doing a second IP address look up to verify that the IP address returned in a name to IP lookup matches the IP address that made the connection in the first place. See the security section below for more information.

For what ever reason you want to enter SMTP commands manually, here is how to do so.

SMTP Commands:
HELO sendinghostname This command initiates the SMTP conversation. The host connecting to the remote SMTP server identifies itself by it's fully qualified DNS host name.
EHLO sendinghostname An alternative command for starting the conversation. This states that the sending server wants to use the extended SMTP (ESMTP) protocol.
MAIL From:<source email address> This is the start of an email message. The source email address is what will appear in the "From:" field of the message.
RCPT To:<destination email address> This identifies the receipient of the email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple receipients.
SIZE=numberofbytes The size command tells the remote sendmail system the size of the attached message in bytes. If ommited, mail readers and delivery agents will try to determine the size of a message based on indicators such as them being terminated by a "." on a line by themselves and headers being sent on a line separated from body text by a blank line. But these methods get confused when you have headers or header like information embedded in messages, attachements, etc.
DATA This command signifies that a stream of data, ie the email message body, will follow. The stream of data is terminated by a "." on a line by itself.

QUIT This terminates an SMTP connection. Multiple email messages can be transfered during a single TCP/IP connection. This allows for more efficient transfer of email. To start another email message in the same session, simply issue another "MAIL" command.
VRFY username This command will request that the receiving SMTP server verify that a given email username is valid. The SMTP server will reply with the login name of the user. This feature can be turned off in sendmail because allowing it can be a security hole. VRFY commands can be used to probe for login names on a system. See the security section below for information about turning off this feature.
EXPN aliasname EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the "VRFY" command since sites often have an alias such as "all".
Email header lines are not SMTP commands per se. They are sent in the DATA stream for a message. Header lines appear on a line by themselves, and are seperated from the body of a message by a blank line.

The chat sequence used by Sendmail to deliver mail can be shown by running sendmail manually at the command line with a "-v" parameter. For example, on the machine "" want to send email to "". I run the following command to make sendmail on my system connect to the SMTP server for

$ /usr/lib/sendmail -v < /tmp/mtest Connecting to via esmtp...
220 ESMTP Postfix
>>> EHLO
250-SIZE 10240000
>>> MAIL From: SIZE=51
250 Ok
>>> RCPT To:
250 Ok
>>> DATA
354 End data with .
>>> .
250 Ok: queued as 0E3EA1D216 Sent (Ok: queued as 0E3EA1D216)
Closing connection to
>>> QUIT
221 Bye

The lines starting with a ">>>" are output from my sendmail program to the SMTP server on the other end of the connection. The message text that would follow the "DATA" command is surpressed in the "-v" output of sendmail, but in the actual interaction, the messge text would be sent in a readable form for plain text, and encoded for binhex or mime attachments. The lines other lines are reply output from the remote SMTP server. These messages include status responses and protocol information such as size limits for messages, and prefereed attachment formats.

Note that the SMTP server at tells me that he is willing to speak esmpt protocol, so my sendmail program sends an EHLO rather than an HELO. Also note that the SMTP server identifies itself as a "Postfix" server. Postfix is an alternative SMTP server that performs the same tasks as "sendmail". Other SMTP server implementations include Lotus's Domino (aka Notes Server) and Microsoft's Exchange.

Security Information:

As I mentioned earlier, the VRFY and EXPN commands can expose user information to people probing a system in preparation for an attack. This behavior can be turned off by using the following flag in the file:

O PrivacyOptions=goaway

To limit relaying, I recommend going to the site and looking at the Anti-Spam / Anti-relay features available to Sendmail.

Back Last Updated: February 17, 2000