nc -nv <ip> 25
telnet <ip> 25
openssl s_client -starttls smtp -connect <ip>:587
openssl s_client -connect <ip>:465

# See what the server supports after EHLO
nc <ip> 25
EHLO test.com

# Common capabilities to note:
# STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN

# smtp-user-enum tool
smtp-user-enum -M VRFY -U users.txt -t <ip>
smtp-user-enum -M EXPN -U users.txt -t <ip>
smtp-user-enum -M RCPT -U users.txt -t <ip> -D <domain>

# Manual VRFY loop
for user in $(cat users.txt); do
  echo VRFY $user | nc -nv -w 1 <ip> 25 2>/dev/null | grep "^250"
done

# Response codes:
# 250 = user exists
# 252 = can't verify but will attempt delivery
# 550 = user does not exist

nmap -p 25 --script smtp-commands <ip>
nmap -p 25 --script smtp-enum-users <ip>
nmap -p 25 --script smtp-open-relay <ip>
nmap -p 25 --script smtp-brute <ip>
nmap -p 25 --script smtp-ntlm-info <ip>          # Windows NTLM info leak
nmap -p 25 --script smtp-vuln-cve2010-4344 <ip>  # Exim heap overflow
nmap -p 25,587,465 --script smtp-* <ip>

nc <ip> 25
EHLO test.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>    # If accepted = open relay!
DATA
Subject: relay test
This is a test.
.
QUIT

# Automated
nmap -p 25 --script smtp-open-relay \
  --script-args smtp-open-relay.from=[email protected],smtp-open-relay.to=[email protected] <ip>

use auxiliary/scanner/smtp/smtp_version
use auxiliary/scanner/smtp/smtp_enum
use auxiliary/scanner/smtp/smtp_relay

# Triggers Windows SMTP servers to reveal hostname, domain, OS version
nmap -p 25 --script smtp-ntlm-info <ip>

# Manual
nc <ip> 25
EHLO test
AUTH NTLM
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Decode the Base64 response with ntlmdecoder or responder