What is my SMTP banner?

When connecting to a remote mail server using SMTP (Simple Mail Transfer Protocol), the first thing that gets transmitted is an SMTP banner. This banner identifies the mail server and provides some basic information about it. Understanding what your SMTP banner reveals and how to optimize it for security is an important part of email server administration.

What is my SMTP banner?

In this comprehensive guide, we’ll cover everything you need to know about SMTP banners, including:

  • What is an SMTP banner and what information does it contain?
  • How to view and inspect your current SMTP banner
  • Best practices for optimizing your banner for security
  • Customizing your banner with branding and messaging
  • Tools and techniques for modifying your SMTP banner
  • The importance of keeping your mail server software up-to-date

Follow along to gain key insights into SMTP banners and learn how to configure yours to avoid revealing unnecessary details to spammers and attackers.

An SMTP banner is a response sent by a mail server when an incoming SMTP connection is initiated. The banner identifies the mail server software and host and can provide additional details like the software version number, host name, operating system, installed extensions, and more.

Here is an example SMTP banner:

220 mail.example.com ESMTP Postfix

This banner indicates that the host name is mail.example.com and the software is Postfix. ESMTP tells us that the Extended SMTP protocol is supported.

Key details contained in SMTP banners:

  • Hostname – The FQDN (fully qualified domain name) of the mail server.
  • Software name and version – Type of mail server software and version in use (e.g. Postfix 2.10.1).
  • Operating system – Details about the OS like distribution name and kernel version.
  • Installed extensions -SMTP extensions supported like STARTTLS, SIZE, PIPELINING etc.
  • Custom messaging – Administrators can configure custom text in banners.

Banners are specified in RFC 5321, the primary SMTP protocol standard, making them a required part of SMTP communication. The server banner is one of the first things transmitted during the initial SMTP connection and handshake.

Why Do SMTP Banners Matter for Security?

The information exposed in SMTP banners can pose a security risk if too much detail is revealed or banners are misconfigured. Here are some potential security issues to be aware of:

  • Software version detection – Hackers can fingerprint the mail server software and version to search for known vulnerabilities. Up-to-date software is important.
  • OS and host details – Attackers can gain insights into the target host environment from OS and host specifics. Avoid revealing OS kernel versions and patch levels.
  • Unsupported extensions – Displaying deprecated SMTP extensions like VRFY and EXPN indicates an outdated mail server.
  • Custom banners – Attackers mine custom text in banners for names, contact info, and other details. Don’t include sensitive info.
  • Host reputation – Mail servers with poor reputation due to issues like open relays display this in banners.

To avoid these risks, SMTP banners should follow security best practices around disclosure. Servers should aim for generic, impersonal banners that reveal core software info without going into unnecessary detail.

Viewing Your SMTP Banner

Checking your current SMTP banner is easy – you just need to connect to your mail server using Telnet or a tool like OpenSSL. Here are the steps:

With Telnet:

  1. Connect to your mail server on port 25 (SMTP) with Telnet:

telnet mail.yourdomain.com 25

The banner will display after you connect:

Trying 192.0.2.1…

Connected to mail.yourdomain.com.

Escape character is ‘^]’.

220 mail.yourdomain.com ESMTP MyCustomMailServer

With OpenSSL:

  1. Use OpenSSL to connect on SMTP port:

openssl s_client -connect mail.yourdomain.com:25 -starttls smtp

Your mail server’s banner will print after connecting:

CONNECTED(00000003)

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3

verify return:1

depth=1 C = US, O = Let’s Encrypt, CN = R3

verify return:1

depth=0 CN = mail.yourdomain.com

verify return:1

220 mail.yourdomain.com ESMTP Postfix

 OK The SMTP server is ready

The banner is displayed after the “verify return:1” lines. In this example, we see a Postfix server.

Both methods connect on port 25 to get the raw SMTP banner your mail server sends.

Best Practices for Secure SMTP Banners

To avoid giving away unnecessary details to attackers, SMTP banners should follow these security best practices:

  • Omit software version – Only include software name, avoid full version string like “Postfix 2.10.1”.
  • Omit operating system – Do not disclose OS details like distribution name/version.
  • Remove extensions – Listing extensions gives insight into server capabilities. Only enable required ones.
  • Avoid host details – Use a generic hostname without kernel version, patch info, etc if possible.
  • Impersonal text – Don’t include contact info, branding, motivational messages, etc.
  • Regular updates – Keep mail server software updated to avoid vulnerabilities.
  • Firewall block – Block external SMTP connections except from trusted sources.
  • TLS encryption – Require TLS so banner is only visible after encryption kicks in.

Here is an example secure banner:

220 mail.example.com ESMTP

This gives minimal info – just the hostname and software name without even listing ESMTP extensions.

Customizing Your SMTP Banner

While banners should avoid unnecessary info, administrators often want to customize them with branding, messaging, or to make servers easier to identify.

Some common customizations include:

  • Hostname – Set a custom banner hostname like mail.company.com
  • Welcome messaging – Friendly text like “Welcome to our mail server”.
  • Branding – Company name, logo, or slogan.
  • Server identifier – Unique name to differentiate mail servers.
  • Warning message – Deter unauthorized access attempts.
  • Administrator details – Contact info and PGP public key fingerprint.

When adding custom text, still be sure to follow security best practices and don’t reveal too many specifics. Here is an example banner with some customizations:

220 mail.company.com ESMTP ServerID123

This sets a custom hostname and unique server ID while still keeping software details generic.

Modifying Your SMTP Banner

The way you modify your SMTP banner depends on the mail server software running:

Postfix

Add a smtpd_banner parameter in main.cf:

smtpd_banner = $myhostname ESMT

Sendmail

Use the DaemonPortOptions directive in sendmail.mc:

DaemonPortOptions=Port=smtp, Name=MTA, Family=inet

Exim

Configure the smtp_banner option:

smtp_banner = $primary_hostname ESMTP \r\n

Be sure to restart your mail server after making banner changes.

For other mail server software, check your vendor documentation for the equivalent banner configuration steps.

Keeping Software Up-to-Date

One of the most important ways to secure your SMTP banner and mail server in general is keeping the software patched and up-to-date.

Using outdated mail server software exposes you to known vulnerabilities that attackers can easily fingerprint from banner details.

Regularly check for the latest security updates from your mail server vendor. For open source options like Postfix and Sendmail, subscribe to security mailing lists for prompt notifications.

When updating to a new major version, be sure to check for any required SMTP banner changes. Software vendors may introduce new defaults with security improvements.

Conclusion and Key Takeaways

To summarize, SMTP banners identify your mail servers, but can reveal too much detail to attackers if not secured properly. Follow these best practices:

  • Omit software version strings and operating system info.
  • Disable unneeded SMTP extensions.
  • Use generic hostnames without sensitive specifics.
  • Avoid custom texts with personal details.
  • Require TLS before banner is shown.
  • Keep mail server software regularly updated.

With the right banner configuration, you can identify your mail servers without giving away unnecessary intelligence to spammers, hackers, and other malicious actors.

Frequently Asked Questions

Q: What is the difference between an SMTP and POP3 banner?
A: SMTP banners are shown when connecting on port 25 for mail delivery. POP3 banners appear when fetching mail from port 110 and identify the POP daemon.

Q: Can I completely remove the SMTP banner for better security?
A: No, SMTP banners are required as part of the protocol. But you can customize them to be very generic.

Q: What is the ESMTP vs SMTP in a banner?
A: ESMTP indicates Extended SMTP with support for extensions like STARTTLS, SMTPUTF8, 8BITMIME etc.

Q: How do spammers use SMTP banners?
A: Spammers look for misconfigured open relays, vulnerable software versions, and host details to help profile targets.

Q: Can I use the SMTP banner for advertising?
A: Avoid this as it makes your server a bigger target. Keep banners impersonal.

Q: Is there a standard SMTP banner format?
A: Banners follow RFC 5321 with a 220 status code and domain name, but the text is customizable.

Q: What’s the difference between 220 and 250 SMTP status codes in banners?
A: 220 is the connection greeting, 250 is a general success response after commands.

Q: Can SMTP banners be used to spread malware?
A: Banner contents are not executed, so there is no direct malware risk, only fingerprinting.

Q: How often should I check and update my SMTP banner configurations?
A: Review banners with each mail server software update, at least annually. Update if defaults change.

Q: What’s the maximum length of an SMTP banner?
A: There is no specific limit, but banners over 255 characters get truncated by some mail clients. Keep them concise.

Q: Can I set different SMTP banners per sending domain?
A: Yes, most mail servers support per-domain or per-IP banners using variables like $myhostname.

Q: Is it safe to put administrator contact info in SMTP banners?
A: Avoid this as it can expose internal user details. Use generic contact email addresses instead.

Q: How do I check SMTP banners on my servers?
A: Use Telnet, OpenSSL, or mail testing tools to connect on port 25 and view the banner response.

Q: Can SMTP banners be used to detect open mail relays?
A: Yes, open relays often disclose this status in their banners as a warning to senders.

Q: Do SMTP banners affect email deliverability?
A: Directly no, but they can indicate reputation issues like open relays that get IP addresses blocked.

Q: Are SMTP banners required for a mail server to function?
A: Yes, banners are a core part of the SMTP protocol for server identification. Servers must return a 220 status code.

Q: Can I use the SMTP banner for legal disclaimers?
A: It’s not recommended – better approaches include email footers or an automated reply.

Q: Is it OK to change the hostname in my SMTP banner?
A: Yes, the banner hostname can be customized, just be sure the altered name resolves in DNS.

Q: How long do SMTP banner connections stay open by default?
A: After showing the banner, the server will close the connection if the client does not send any further SMTP commands.

Q: Does changing my SMTP banner affect mail server performance?
A: No, the banner string itself has negligible impact on server load or processing capability.

Conclusion

Your SMTP banner provides the first impression of your mail server to connecting clients. While some customization can be useful, prioritize security by minimizing unnecessary information that could aid attackers. Keep your mail server software up-to-date, use generic banners, and avoid revealing details beyond core identifiers. With a properly configured banner, you can confidently introduce your server while giving spammers as little intelligence as possible.

Leave a Comment