Nessus has detected that this internal SMTP server allows mail relaying.

The remote host is running a Sendmail service, a general purpose email routing service. It was possible to read the version number from the banner.

Nessus can obtain information about the host by examining the NTLM SSP challenge issued during NTLM authentication, over STMP.

According to its banner, the version of Exim running on the remote host is prior to 4.90.1. It is, therefore, potentially affected by a buffer overflow vulnerability. A flaw exists base64d() function due to improper validation of parsed messages. A remote attacker could potentially cause a buffer overflow condition and execute arbitrary code.

According to its banner and supported extensions, the remote installation of Exim is affected by a code execution flaw.  The implementation of the BDAT SMTP verb for sending large binary messages introduced in Exim 4.88 can incorrectly free an in-use region of memory, leading to memory corruption and potentially allowing an attacker to execute code.

According to its banner, the Postfix mail server running on the remote host is version 2.x from 2.0.8 to 2.1.5 inclusively. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of the email date field. An unauthenticated, remote attacker can exploit this, via a specially crafted email, to execute arbitrary code.

ENTERSEED is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/04/08 by a group known as the Shadow Brokers.

The remote host appears to be running a mail transfer or mail delivery agent such as Courier, Exim, Postfix, or Procmail. Many of these agents can be configured to run utility scripts for a diverse number of tasks including filtering, sorting, and delivering mail. These scripts may create the conditions that are exploitable, making the agent vulnerable to remote code execution via Shellshock.

A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that the mail agent running on the system is not configured in such a way to allow remote execution via Shellshock.

The remote host appears to be running Qmail. A remote attacker can exploit Qmail to execute commands via a specially crafted MAIL FROM header if the remote host has a vulnerable version of Bash. This is due to the fact that Qmail does not properly sanitize input before setting environmental variables.

A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that Qmail could not be used to exploit the Shellshock flaw.

The remote host appears to be running Postfix. Postfix itself is not vulnerable to Shellshock; however, any bash script Postfix runs for filtering or other tasks could potentially be affected if the script exports an environmental variable from the content or headers of a message.

A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts Postfix may be running do not create the conditions that are exploitable via the Shellshock flaw.

According to its banner, the version of Exim running on the remote host is prior to 4.83. It is, therefore, potentially affected by a data insertion vulnerability. A flaw exists in the expansion of arguments to math comparison functions which can cause values to be expanded twice. This could permit a local attacker to insert arbitrary data.

The remote mail server is running a version of Sendmail prior to 8.14.9. It is, therefore, affected by a flaw related to file descriptors and the 'close-on-exec' flag that may allow a local attacker to cause unspecified impact on open SMTP connections.

The remote OpenSMTPD mail server has a flaw that could result in further connections to it being blocked when a client holds open a TLS connection.

The remote MTA (which appears to be Exim) has a shell command execution vulnerability.  Dovecot is commonly used as a local delivery agent for Exim.  The Dovecot documentation has an insecure example for how to configure Exim using the 'use_shell' option.  If a host is using this configuration, it is vulnerable to command injection. 

A remote, unauthenticated attacker could exploit this by sending an email to the MTA, resulting in arbitrary shell command execution.

The install of McAfee WebShield SMTP listening on the remote host is no longer supported since the product reached End of Life on March 31, 2010.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

According to its banner, the version of Exim running on the remote host is between 4.70 and 4.80 inclusive.  It therefore is potentially affected by a remote, heap-based buffer overflow vulnerability when decoding DKIM (DomainKeys Identified Mail) DNS records that can be triggered by a specially crafted email sent from a domain under the attacker's control. 

By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.

Note that this issue is only exploitable when exim is built with DKIM support, which is true by default, and has not been disabled.  Note too that Nessus has not checked whether either condition is true.

The remote mail server is running a version of Sendmail earlier than 8.13.8. Such versions are reportedly affected by a use-after-free flaw that may allow an attacker to crash the server.

The version of Novell GroupWise Internet Agent hosted on the remote computer is earlier than 8.0.2 HP3. Such versions are potentially affected by a heap overflow vulnerability due to the way the application parses the TZNAME property of the VTIMEZONE component within a received VCALENDAR message. Successful exploitation could result in remote code execution.

This script tries to send a VCALENDAR message with a large TZNAME property value in an attempt to crash the Internet Agent (gwia.exe).

Note that when restarting the Internet Agent after a crash, the queued files under <domain_database_path>\wpgate\GWIA\receive that are generated as a result of running this script need to be removed.
Otherwise, the service will not restart.

Also note that the iCal service has to be enabled (the '/imip' setting in 'gwia.cfg') for this vulnerability to be triggered.

Further note that this install of Group GroupWise Internet Agent is also likely affected by other vulnerabilities, but this plugin does not test for them.

The Postfix mail server listening on this port appears vulnerable to a memory corruption attack as Nessus was able to crash an SMTP session with this host by using two different authentication methods in one session. 

Note that code execution as the unprivileged postfix user may also be possible.

According to its banner, the version of the Postfix mail server listening on this port is earlier than 2.5.13, 2.6.19, 2.7.4, or 2.8.3.  Such versions may be vulnerable to a memory corruption attack if they have Cyrus SASL enabled and are allowing authentication methods other than ANONYMOUS, LOGIN, and PLAIN.  Code execution as the unprivileged postfix user may also be possible. 

Note that Nessus did not test whether the remote server was using Cyrus specifically, as opposed to another SASL library such as Dovecot.

The remote host is running an SMTP server that advertises that it allows cleartext logins over unencrypted connections.  An attacker may be able to uncover user names and passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e.  LOGIN or PLAIN) is used.

This SMTP service allows anonymous authentication.  Any remote user may connect and authenticate without providing a password or unique credentials.  This may effectively turn the remote server into an open mail relay.

The remote SMTP server advertises that it supports authentication.

Based on its response to a specially formatted mail message, the Exim mail server listening on this port appears to be affected by a format string vulnerability. The vulnerability is due to a failure in the dkim_exim_verify_finish() function to properly sanitize format string specifiers in the DKIM-Signature header. A remote attacker can exploit this by sending a specially crafted email, resulting in the execution of arbitrary code as the Exim run-time user.

According to its self-reported version, the remote SMTP service is an instance of IBM Lotus Domino that is is affected by a remote stack-based buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the 'nrouter.exe' Lotus Domino server process.  Failed attacks will cause denial of service conditions.

The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. 

Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.

The remote host is running Exim, a message transfer agent.

According to the version number in its banner, the installed version of Exim is earlier than 4.74 and thus potentially affected by a local privilege escalation vulnerability.

If the remote host is running Linux, attackers can exploit this issue to append arbitrary data to files through symbolic link attacks.
Successfully exploiting this issue allows local attackers with 'exim' run-time user privileges to perform certain actions with superuser privileges, leading to a complete compromise of an affected computer.

A heap overflow vulnerability exists in the version of exim installed on the remote host. 

By sending a specially crafted message to the server, a remote attacker can leverage this vulnerability to execute arbitrary code on the server with the privilege of the exim server. A separate vulnerability that Nessus didn't test for, CVE-2010-4345, is often used to elevate the exim user to root access. 

Note that Nessus checked for this vulnerability by sending a specially crafted packet and checking the response, without crashing the service. 

All 4.6x versions 4.69-9 and below are known to be affected, and others may be as well.

The SMTP service (MESMTPC.exe) included with the version of MailEnable on the remote host reportedly does not properly check the length of either the email address used in a 'MAIL FROM' command or the domain name in a 'RCPT TO' command before using it in a log message. 

A malicious attacker may be able to leverage these issues to trigger an unhandled invalid parameter error and cause the affected SMTP service to crash.

The remote host is running Exim, a message transfer agent (SMTP).

According to the version number in its banner, the installed version of Exim is earlier than 4.72 and thus potentially affected by one or both of the following vulnerabilities :

  - An error when handling hardlinks within the mail     directory during the mail delivery process can be     exploited to perform unauthorized actions.
    (CVE-2010-2023)

  - When MBX locking is enabled, a race condition exists     that could allow an attacker to change permissions of     other non-root users' files, leading to denial-of-     service conditions or potentially privilege escalation.
    (CVE-2010-2024)

The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability :

  - Incorrect parsing of DNS Mail Exchanger (MX) resource     records could cause the Windows Simple Mail Transfer     Protocol (SMTP) component to stop responding until     the service is restarted. (CVE-2010-0024)

  - Improper allocation of memory for interpreting SMTP     command responses may allow an attacker to read random     email message fragments stored on the affected server.
    (CVE-2010-0025)

The remote mail server is affected by a command execution vulnerability. 

Specifically, the 'spamass-milter' plugin does not properly sanitize user-supplied input and can be tricked into executing arbitrary commands on the remote server (by default with root privileges).

The remote mail server is running a version of Sendmail earlier than 8.14.4. Such versions are reportedly affected by a flaw that may allow an attacker to spoof SSL certificates by using a NULL character in certain certificate fields.

A remote attacker may exploit this to perform a man-in-the-middle attack.

The remote SMTP service supports the use of the 'STARTTLS' command to switch from a cleartext to an encrypted communications channel.

The remote host is running a version of the Sendmail mail server earlier than 8.13.2. Such versions are reportedly affected by a remote buffer overflow vulnerability. An attacker could leverage this flaw to execute arbitrary code with the privileges of the affected application.

According to its banner, the version of Postfix running on the remote host leaks 'epoll' file descriptors when it executes non-Postfix commands from, say, a user's .forward file. A local attacker can access the leaked epoll descriptor to launch a denial of service attack against Postfix.

Note that this issue only affects hosts running Linux with a 2.6 kernel.

The remote server is running Citadel, an open source solution for email and collaboration.

According to its version, the installation of Citadel on the remote host uses insufficient bounds-checking in its SMTP service during memory-copy operations when processing input to the RCPT TO command.
An unauthenticated, remote attacker may be able to leverage this issue to cause a stack-based buffer overflow, resulting in a crash of the affected service or even execution of arbitrary code.

The remote host appears to be running a version of Clamav-milter, a filter for sendmail, configured with '--black-hole-mode' that fails to sanitize recipient addresses of shell metacharacters before using them in a call to 'popen()' to determine whether to discard incoming messages.  An unauthenticated, remote attacker can leverage this issue to execute arbitrary code, typically as root.

The remote host appears to be running Ability Mail Server. 

According to its banner, the installed version of Ability Mail Server is affected by two issues that could cause the application to crash. One involves messages that are changed to a blank string, the other IMAP4 commands with malformed number list ranges. 

It is believed that exploitation of either issue requires authentication.

The remote host is running Kerio MailServer, a commercial mail server available for Windows, Linux, and Mac OS X platforms. 

According to its banner, the installed version of Kerio MailServer contains an unspecified vulnerability involving the attachment filter.

The remote host is running the Mercury Mail Transport System, a free suite of server products for Windows and NetWare associated with Pegasus Mail. 

The version of Mercury Mail installed on the remote host includes an SMTP server that is affected by a buffer overflow flaw.  Using a specially crafted 'AUTH CRAM-MD5' request, an unauthenticated, remote attacker can leverage this issue to crash the remote application and even execute arbitrary code remotely, subject to the privileges under which the application runs.

The remote host is running MailEnable, a commercial mail server for Windows. 

The version of MailEnable Professional or MailEnable Enterprise installed on the remote host has several problems involving its support of NTLM authentication.  A remote, unauthenticated attacker can leverage these flaws to execute arbitrary code on the remote host or crash the SMTP connector. 

Note that NTLM authentication is not enabled in MailEnable by default but is on the remote host.

The remote host is running MailEnable, a commercial mail server for Windows.

The SMTP server bundled with the version of MailEnable installed on the remote host is affected by a flaw in which SPF lookups for domains with large records may result in a NULL pointer exception in the SMTP service. An unauthenticated, remote attacker can exploit this issue to crash the affected service.

The remote host is running Ipswitch Collaboration Suite / IMail Secure Server / IMail Server, commercial messaging and collaboration suites for Windows.

According to its banner, the version of Ipswitch Collaboration Suite / IMail Secure Server / IMail Server installed on the remote host has a stack-based buffer overflow in its SMTP server component that can be triggered by long strings within the characters '@' and ':'.  An unauthenticated attacker may be able to leverage this flaw to crash the SMTP service or even to execute arbitrary code remotely.

The remote host is running Lotus Domino, a messaging and collaboration application suite. 

According to the version number in its banner, the SMTP server bundled with Lotus Domino on the remote host reportedly suffers from a denial of service flaw.  Specifically, the routing server will consumes 100% of the CPU when attempting to process a malformed 'vcal' meeting request.  An unauthenticated attacker may be able to leverage this issue to deny service to legitimate users. 

In addition, IBM has identified several additional vulnerabilities that affect this version.

The remote host is running MailEnable, a commercial mail server for Windows.

According to the version number in its banner, the SMTP server bundled with the installation of MailEnable on the remote host will crash when handling malformed HELO commands. An unauthenticated attacker may be able to leverage this issue to deny service to legitimate users.

The remote host appears to be running Eudora Internet Mail Server, a mail server for Macs. 

According to its banner, the version of Eudora Internet Mail Server (EIMS) installed on the remote host is reportedly susceptible to denial of service attacks involving malformed NTLM authentication requests as well as corrupted incoming MailX and temporary mail files.  While not certain, the first issue is likely to be remotely exploitable.

The remote host is running Ipswitch Collaboration Suite or IMail Server, commercial messaging and collaboration suites for Windows. 

The version of Ipswitch Collaboration Suite / IMail server installed on the remote host contains an SMTP server that suffers from a format string flaw.  By supplying a specially formatted argument to the 'EXPN', 'MAIL', 'MAIL FROM', or 'RCPT TO' commands, a remote attacker may be able to corrupt memory on the affected host, crash the service, or even execute arbitrary code remotely.

The version of GoodTech SMTP Server running on the remote host is prone to multiple buffer overflow vulnerabilities when processing RCPT TO commands.  An attacker can exploit these flaws to run arbitrary code remotely, by default as the SYSTEM user.

The remote host is running BusinessMail, a commercial mail server for Windows from NetCPlus. 

The version of BusinessMail on the remote host fails to sanitize input to the 'HELO' and 'MAIL FROM' SMTP commands, which can be exploited by an unauthenticated, remote attacker to crash the SMTP service and possibly even execute arbitrary code within the context of the server process.

The remote host is running Courier Mail Server, an open source mail server for Linux and Unix. 

According to its banner, the installed version of Courier is prone to a remote denial of service vulnerability triggered when doing Sender Policy Framework (SPF) data lookups.  To exploit this flaw, an attacker would need to control a DNS server and return malicious SPF records in response to queries from the affected application.

ID	Name	Severity
118017	MTA Open Mail Relaying Allowed (internal)	High
111549	Sendmail Service Detection	Info
108659	SMTP Host Information in NTLM SSP	Info
107149	Exim < 4.90.1 Buffer Overflow RCE Vulnerability	High
104815	Exim < 4.89.1 Use-After-Free BDAT Remote Code Execution	Critical
100465	Postfix 2.x Mail Message Date Field RCE (ENTERSEED)	Critical
78701	Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock	Critical
77970	Qmail Remote Command Execution via Shellshock	Critical
77969	Postfix Script Remote Command Execution via Shellshock	Critical
77055	Exim < 4.83 Math Comparison Functions Data Insertion	Low
74289	Sendmail < 8.14.9 close-on-exec SMTP Connection Manipulation	Low
66586	OpenSMTPD TLS Blocking Socket Remote DoS	Medium
66373	Exim with Dovecot use_shell Command Injection	Medium
63135	McAfee WebShield SMTP Unsupported	Critical
62734	Exim 4.70 - 4.80 DKIM DNS Record Parsing Remote Buffer Overflow	High
17724	Sendmail < 8.13.8 Header Processing Overflow DoS	Medium
56634	GroupWise Internet Agent < 8.0.2 HP3 iCalendar TZNAME Property Heap Overflow	Critical
54584	Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)	Medium
54583	Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption	Medium
54582	SMTP Service Cleartext Login Permitted	Low
54581	Anonymous SMTP Authentication Enabled	Info
54580	SMTP Authentication Methods	Info
53856	Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String	High
53534	IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow	High
52611	SMTP Service STARTTLS Plaintext Command Injection	Medium
51861	Exim < 4.74 Local Privilege Escalation	Medium
51179	Exim string_format Function Remote Overflow	High
49284	MailEnable SMTP Service Denial of Service Vulnerabilities (ME-10044)	Medium
46783	Exim < 4.72 Multiple Vulnerabilities	Medium
45517	MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)	Medium
45019	SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection	Critical
43637	Sendmail < 8.14.4 SSL Certificate NULL Character Spoofing	High
42088	SMTP Service STARTTLS Command Support	Info
38877	Sendmail < 8.13.2 Mail X-Header Handling Remote Overflow	Medium
34347	Postfix epoll File Descriptor Leak Local DoS	Low
30123	Citadel SMTP makeuserkey Function RCPT TO Command Remote Overflow	High
29830	ClamAV clamav-milter black-hole-mode Sendmail Recipient Field Arbitrary Command Execution	High
28289	Ability Mail Server < 2.61 Multiple Remote DoS	Medium
25991	Kerio MailServer < 6.4.1 Attachment Filter Unspecified Vulnerability	Critical
25928	Mercury SMTP Server AUTH CRAM-MD5 Remote Buffer Overflow	High
22483	MailEnable SMTP Connector Multiple NTLM Authentication Vulnerabilities	High
22411	MailEnable SMTP Connector Service SPF Record Crafted Lookup DoS	Medium
22314	Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow	High
21778	IBM Lotus Domino SMTP Server Malformed Meeting Request (vCal) DoS	Critical
21771	MailEnable SMTP Server HELO Command Remote DoS	Medium
20394	Eudora Internet Mail Server (EIMS) < 3.2.8 Multiple DoS	Medium
20319	Ipswitch Collaboration Suite / IMail SMTPD Multiple Commands Format String	High
19384	GoodTech SMTP Server < 5.17 Multiple Buffer Overflows	Critical
19365	BusinessMail Multiple SMTP Command Remote Buffer Overflows	Critical
18620	Courier Mail Server < 0.50.1 DNS SPF Record Lookup Failure Memory Corruption DoS	Low

SMTP problems Family for Nessus