Templates
M

Master Smtp Suite

Powerful skill for skill, should, used, user. Includes structured workflows, validation checks, and reusable patterns for security.

SkillClipticssecurityv1.0.0MIT
0 views0 copies

Master SMTP Suite

Test and analyze SMTP (Simple Mail Transfer Protocol) server security, configuration, and email infrastructure. This skill covers SMTP enumeration, relay testing, SPF/DKIM/DMARC validation, email spoofing assessment, and mail server hardening verification for authorized security assessments.

When to Use This Skill

Choose Master SMTP Suite when you need to:

  • Enumerate SMTP servers and test for open relay vulnerabilities
  • Validate SPF, DKIM, and DMARC email authentication configurations
  • Assess email spoofing risks during penetration testing
  • Audit mail server configurations for security best practices

Consider alternatives when:

  • You need general network scanning (use scanning framework skills)
  • You need phishing campaign testing (use social engineering frameworks)
  • You need email deliverability optimization (use email marketing tools)

Quick Start

import smtplib
import dns.resolver
import socket
from dataclasses import dataclass
from typing import List, Optional

@dataclass
class SMTPFinding:
    check: str
    result: str
    severity: str
    details: str

class SMTPSecurityTester:
    """Test SMTP server security configuration."""

    def __init__(self, domain):
        self.domain = domain
        self.findings: List[SMTPFinding] = []

    def enumerate_mx(self):
        """Discover MX records for the domain."""
        try:
            mx_records = dns.resolver.resolve(self.domain, 'MX')
            servers = sorted([(r.preference, str(r.exchange).rstrip('.'))
                              for r in mx_records])
            print(f"MX records for {self.domain}:")
            for pref, host in servers:
                print(f"  Priority {pref}: {host}")
            return servers
        except dns.resolver.NoAnswer:
            print(f"No MX records for {self.domain}")
            return []

    def check_spf(self):
        """Verify SPF record configuration."""
        try:
            txt_records = dns.resolver.resolve(self.domain, 'TXT')
            spf_records = [str(r) for r in txt_records if 'v=spf1' in str(r)]

            if not spf_records:
                self.findings.append(SMTPFinding(
                    'SPF', 'MISSING', 'HIGH',
                    'No SPF record found — domain is vulnerable to email spoofing'
                ))
                return None

            spf = spf_records[0]
            print(f"SPF: {spf}")

            # Check for overly permissive SPF
            if '+all' in spf:
                self.findings.append(SMTPFinding(
                    'SPF', 'PERMISSIVE', 'CRITICAL',
                    'SPF record uses +all — allows anyone to send as this domain'
                ))
            elif '~all' in spf:
                self.findings.append(SMTPFinding(
                    'SPF', 'SOFT_FAIL', 'MEDIUM',
                    'SPF uses ~all (soft fail) — should use -all (hard fail)'
                ))
            elif '-all' in spf:
                print("  SPF correctly configured with -all")

            return spf
        except dns.resolver.NoAnswer:
            self.findings.append(SMTPFinding(
                'SPF', 'MISSING', 'HIGH', 'No TXT records found'))
            return None

    def check_dmarc(self):
        """Verify DMARC record configuration."""
        try:
            dmarc_domain = f"_dmarc.{self.domain}"
            records = dns.resolver.resolve(dmarc_domain, 'TXT')
            dmarc = [str(r) for r in records if 'v=DMARC1' in str(r)]

            if not dmarc:
                self.findings.append(SMTPFinding(
                    'DMARC', 'MISSING', 'HIGH',
                    'No DMARC record — email authentication not enforced'
                ))
                return None

            record = dmarc[0]
            print(f"DMARC: {record}")

            if 'p=none' in record:
                self.findings.append(SMTPFinding(
                    'DMARC', 'MONITOR_ONLY', 'MEDIUM',
                    'DMARC policy is "none" — spoofed emails are delivered'
                ))
            elif 'p=quarantine' in record:
                print("  DMARC: quarantine policy (good)")
            elif 'p=reject' in record:
                print("  DMARC: reject policy (best)")

            return record
        except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):
            self.findings.append(SMTPFinding(
                'DMARC', 'MISSING', 'HIGH', 'No DMARC record found'))
            return None

    def check_starttls(self, mx_host, port=25):
        """Check if SMTP server supports STARTTLS."""
        try:
            server = smtplib.SMTP(mx_host, port, timeout=10)
            server.ehlo()
            if server.has_extn('STARTTLS'):
                print(f"  {mx_host}: STARTTLS supported")
                server.starttls()
            else:
                self.findings.append(SMTPFinding(
                    'STARTTLS', 'NOT_SUPPORTED', 'HIGH',
                    f'{mx_host} does not support STARTTLS — emails sent in plaintext'
                ))
            server.quit()
        except Exception as e:
            print(f"  {mx_host}: Connection failed ({e})")

    def report(self):
        print(f"\n=== SMTP SECURITY REPORT: {self.domain} ===")
        if not self.findings:
            print("No issues found")
        for f in self.findings:
            print(f"[{f.severity}] {f.check}: {f.result}")
            print(f"  {f.details}")

# tester = SMTPSecurityTester("example.com")
# mx_servers = tester.enumerate_mx()
# tester.check_spf()
# tester.check_dmarc()
# for _, mx in mx_servers[:3]:
#     tester.check_starttls(mx)
# tester.report()

Core Concepts

Email Authentication Stack

ProtocolPurposeDNS RecordPrevents
SPFAuthorize sending IPsTXT on domainIP-based spoofing
DKIMSign email contentTXT on selector._domainkeyContent tampering
DMARCPolicy for SPF/DKIM failuresTXT on _dmarc.domainDomain spoofing
MTA-STSEnforce TLS for SMTPTXT + HTTPS policyMITM downgrade attacks
DANE/TLSACertificate pinning for SMTPTLSA recordCertificate substitution

Configuration

ParameterDescriptionDefault
domainTarget domain to assessRequired
check_spfVerify SPF configurationtrue
check_dkimVerify DKIM selectorstrue
check_dmarcVerify DMARC policytrue
check_tlsTest STARTTLS supporttrue
test_relayTest for open relay (authorized only)false
timeoutSMTP connection timeout (seconds)10
dkim_selectorsDKIM selectors to checkCommon defaults

Best Practices

  1. Check SPF, DKIM, and DMARC together — they work as a system — SPF alone is easily bypassed (envelope vs header From). DKIM alone doesn't specify policy. DMARC ties them together with enforcement. All three must be properly configured for effective email authentication.

  2. Verify DMARC policy is "reject" or "quarantine", not "none"p=none only monitors without enforcement — spoofed emails still reach recipients. Organizations should start with p=none for monitoring, then move to p=quarantine and finally p=reject once legitimate email sources are properly configured.

  3. Test from outside the organization's network — SMTP relay and authentication tests should be performed from external IPs to accurately simulate an attacker's perspective. Internal testing may bypass network-level controls that protect the SMTP server.

  4. Document email infrastructure for the client — Many organizations don't have a complete inventory of legitimate email-sending services (marketing platforms, CRM systems, ticketing). The security assessment should map all authorized senders to help improve SPF records.

  5. Test email spoofing impact, not just configuration — Even with DMARC p=reject, test whether spoofed emails are actually blocked by sending test messages. Some receiving servers don't enforce DMARC, and misconfigured sending infrastructure may cause legitimate emails to fail DMARC checks.

Common Issues

SPF record exceeds 10 DNS lookup limit — SPF specifications limit DNS lookups to 10. Organizations using many email services (Google Workspace, Mailchimp, SendGrid, Salesforce) quickly hit this limit. Use SPF flattening tools or consolidate sending through fewer services.

DKIM selector is unknown — DKIM selectors are arbitrary strings chosen by the domain owner. Common selectors: google, selector1, selector2, k1, default. Use tools like nslookup -type=TXT selector._domainkey.domain.com with common selectors, or check email headers for s= parameter.

SMTP connection times out on port 25 — Many ISPs and cloud providers block outbound port 25 to prevent spam. Test from a server or VPS that allows port 25 access. Alternatively, use port 587 (submission) or 465 (SMTPS) for testing authenticated connections.

Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

/>

Full-Stack Code Reviewer

Comprehensive code review skill that checks for security vulnerabilities, performance issues, accessibility, and best practices across frontend and backend code.

Skill
20
View →
/>

Test Suite Generator

Generates comprehensive test suites with unit tests, integration tests, and edge cases. Supports Jest, Vitest, Pytest, and Go testing.

Skill
00
View →
/>

Pro Architecture Workspace

Battle-tested skill for architectural, decision, making, framework. Includes structured workflows, validation checks, and reusable patterns for development.

Skill
110
View →