Auditing SMTP, POP, and IMAP with Expect

By Rob Thomas, 18 AUG 2000

UNIX contains numerous tools and methods for auditing and securing your host. However, as your network of UNIX boxes expands, it becomes difficult to scale the host-based tools to perform the necessary auditing and verification. This is where toolkits such as Expect become handy. In this article, I will demonstrate the power of Expect as a rich development toolkit for automated auditing of the UNIX hosts on your network.

A Bit About Expect

Expect is a toolkit based on the Tcl language. You can obtain both Expect and Tcl here. This site, the Expect home page, also contains a grand collection of information about Expect. You might also wish to pick up a copy of Exploring Expect, by Don Libes, published by O'Reilly and Associates.

Auditing SMTP, POP, and IMAP

Within almost all networks, there likely exist one or more SMTP, POP, and perhaps IMAP servers. These servers provide the now ubiquitous e-mail connectivity required in any corporation.

However, these services are also some of the most easily exploited services on any network. Quite often, these services are "open" to the Internet, which allows easy connectivity for remote users. It also allows easy connectivity for the miscreants who seek illegal access to your hosts.

To ensure compliance with policies and that the daemons are at the proper software release levels, we can use Expect to automatically probe networks for SMTP servers, POP servers, and IMAP servers.

SMTP auditing with mtaprobe.exp

The mtaprobe.exp tool is designed to sweep a list of IP addresses and determine three things:

1. The type and version of the SMTP daemon on TCP port 25, if any.
2. Determine if the daemon will allow the EXPN (expand) command.
3. Determine if the daemon is configured to relay all e-mail, thus opening up the host to serving as a SPAM relay.

Once the type and version of the SMTP daemon are acquired, the auditor can cross reference this information with the various vendor alerts, CERT advisories, and vendor patch documents. This will help to ensure that the SMTP daemon is protected against the latest vulnerabilities.

Allowing the EXPN (expand) function to be performed can assist miscreants who are attempting to obtain account information or e-mail addresses. For example, many common e-mail aliases such as administrators, sales, info, and the like contain the actual e-mail addresses (which often correspond to login IDs) of employees. Allowing someone to peruse these IDs may be a bit more information than you care to share.

A wide-open, Internet connected e-mail relay is simply trouble brewing. The SPAMmers will find it, eventually, and use it to issue thousands of pieces of unsolicited e-mail. Such abuse may cause the mail relay to stop providing legitimate e-mail messaging. Worse, the SPAMmers may be forwarding e-mail with illicit content, causing quite a bit of public embarrassment. All of this may result in the site being added to a blackhole list, thus effectively blocking all e-mail from the site from reaching other, popular Internet addresses.

The script requires one modification prior to execution. You must replace the \ string with a legitimate e-mail address. This is required for the relay testing section of the code.

The script requires a list of IP addresses or host names, and such a list can be easily generated from /etc/hosts or DNS with the help of Perl or awk.

Here is the source code for mtaprobe.exp.

POP and IMAP auditing with poptart.exp

The poptart.exp tool is designed to sweep a list of IP addresses or host names to determine if the host has POP and/or IMAP services running, and the version of those services if they exist. This tool will return the version number of the server.

As with mtaprobe.exp, poptart.exp requires a list of IP addresses or host names. Here is the source code for poptart.exp.

Conclusion

As you can see, creating auditing tools in Expect is quite a simple task. These scripts could be easily modified to probe other TCP-based services, such as FTP. While auditing and securing a network of UNIX machines may be one of the most thankless of tasks, it can be automated by the use of Expect. Further, Expect can be used to automate many routine system administration tasks. After downloading and installing Expect, you will likely be crafting your own set of tools in short order.

If you found these tools of use, please peruse my other creations which can be found here.