Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 05. Common Applications & Services / 03. Mail Servers

Email Servers

Email remains one of the most widely used communication systems in modern environments.

Organizations use email for:

  • Communication
  • Account registration
  • Password resets
  • Notifications
  • Multi-factor authentication
  • Business operations

As a result, email systems frequently become high-value targets.


Basic Email Flow

A typical email follows a path similar to:

Sender
    ↓
Mail Server
    ↓
Internet
    ↓
Recipient Mail Server
    ↓
Recipient

Unlike web applications, email delivery is often handled by multiple systems before reaching its final destination.


Common Email Protocols

SMTP

Simple Mail Transfer Protocol (SMTP) is used to send email.

Common ports:

25/tcp
587/tcp
465/tcp

SMTP is responsible for transferring messages between mail servers.


POP3

Post Office Protocol (POP3) downloads emails from a server to a client.

Common ports:

110/tcp
995/tcp (TLS)

POP3 is less common in modern environments.


IMAP

Internet Message Access Protocol (IMAP) allows clients to synchronize mailboxes.

Common ports:

143/tcp
993/tcp (TLS)

IMAP is widely used today because messages remain stored on the server.


Common Email Platforms

Organizations commonly use:

  • Microsoft Exchange
  • Microsoft 365
  • Google Workspace
  • Postfix
  • Exim
  • Sendmail

Why Email Matters

Email is often the center of identity management.

Control of a mailbox may provide access to:

  • Password reset links
  • MFA enrollment workflows
  • Internal communications
  • Sensitive documents
  • Business processes
  • Phishing attacks

Phishing

Phishing is one of the most common attack vectors.

A phishing attack attempts to convince a user to:

  • Reveal credentials
  • Execute software
  • Visit a malicious website
  • Approve an MFA request

Many real-world compromises begin with successful phishing. In some cases, threat actors become so successful at manipulating a particular user that they continue abusing that same individual to facilitate additional access throughout the intrusion.

I have personally heard incident responders describe situations where initial access into a large enterprise was obtained through a front-office employee. Simple requests such as:

"My manager is currently on holiday. Could you send this to another email, it is for their backup manager instead? (provides fake email)"

were sufficient to convince users to perform actions that furthered the intrusion.

Perhaps the most surprising aspect of these incidents is that even after security teams identified and isolated compromised hosts or accounts, the threat actor would often return to the same individual and simply obtain access again through additional social engineering.

For those who have not yet worked in the industry, stories like this may sound exaggerated or taken directly from a movie. In reality, experienced security professionals encounter similar scenarios far more frequently than many people would expect.

The lesson is simple: technical security controls are important, but people remain a critical part of the security boundary.


Email Attachments

Email attachments are frequently used to distribute:

  • Documents
  • Spreadsheets
  • PDFs
  • Archives
  • Executables

Organizations often restrict certain attachment types due to abuse.

Operators should assume that email attachments are commonly inspected by security controls.


Email Authentication

Modern email systems use several mechanisms to verify sender legitimacy.

SPF

Sender Policy Framework (SPF)

Defines which servers are authorized to send email for a domain.

Example:

corp.local

may specify which mail servers are allowed to send messages on its behalf.


DKIM

DomainKeys Identified Mail (DKIM)

Uses cryptographic signatures to verify that an email was authorized by the sending domain and was not modified in transit.


DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Defines how receiving mail servers should handle messages that fail SPF or DKIM validation.


Why Operators Care

Email infrastructure often reveals:

  • Internal usernames
  • Naming conventions
  • Organizational structure
  • Business relationships
  • External vendors
  • Sensitive communications

Email systems may also provide opportunities for:

  • Initial access
  • Credential theft
  • Social engineering
  • Internal reconnaissance

Security Controls

Modern email security commonly includes:

  • SPF
  • DKIM
  • DMARC
  • Attachment scanning
  • URL rewriting
  • Sandboxing
  • Anti-spam filtering
  • MFA

These controls attempt to reduce phishing and malware delivery risks.