The most common question I have received as a result of this post on mail server misconfigurations is “how do I change my SMTP banner?” This article will tell you how to do so on several common mail server platforms. But first, let’s discuss why you want to.

Bad guys frequently use banner grabbing techniques as a part of the initial recon. It is a fairly innocuous activity that takes advantage of expected behaviours. To determine the type and version of mail server you are using, a bad guy need only connect to it on port 25, just like any other system would that is trying to send an email to one of your clients. IPS/IDS systems won’t alert on this, since to them it looks just like any other mail server trying to send mail, and unless you review every single log item, you probably won’t notice a connection that doesn’t actually send an email.

If, however, your SMTP does not reveal its version, all the bad guy knows is that he connected to your mail server. He is going to have to work a lot harder to identify your server, and that may be enough to trip an IDS/IPS alarm. Or, he may simply move on to easier pickings. Either way, make him work for it…don’t just give up all the information in your banner. Intrigued? Read on to learn how to change the SMTP banner on several popular mail server platforms.

Most systems default banners display the information required by the RFCs, but then go a step further and reveal the type and version of SMTP daemon they run. With that information, all the bad guy has to do is focus on exploits known to affect that version, and hope that you are not up to date on your patches.

RFC 2821 requires all server responses to start with 220 when the service is ready to receive mail. Specifically, the recommended format is this;

220 <domain> Service ready

So when we customise our banner, we want to make sure that if our SMTPd does not prepend the response with 220 for us, we include that in our text string.

Sendmail

Sendmail will prepend the 220 automagically for us, so we just need to define our text string. We can use some variables, or just free form text.

1. Edit sendmail.cf
2. Change the line

SmtpGreetingMessage=$j Sendmail $v/$Z; $b

to

SmtpGreetingMessage= yourtextgoeshere

You can use the following variables
$j = fully qualified hostname
$v = sendmail version
$Z = configuration file version
$b = current date and time

3. Restart sendmail for the new banner to take effect.

IIS SMTP service

If you are using the Windows SMTP service that comes as a part of IIS, and is used in Exchange 2003 (and earlier) here is what you do. We will need to include the 220 response code at the beginning of the banner.

1. Open a cmd prompt.
2. Change to the Adminscripts directory. The default location is C:InetpubAdminscripts
3. Enter the following cmd, where ‘vsi number’ is the number of the SMTP virtual server, and ‘your text’ is what you want the banner to display. Don’t forget to start the string with 220

   cscript adsutil.vbs set smtpsvc/vsi number/connectresponse “Your Text” [enter]

4. Restart the SMTP service.

Exchange 2007-2010 SMTP service

Of course, you should have expected that to do this, we will use PowerShell. Again, we must remember to start the response with the 220.

1. Open the Exchange Management Shell as an administrator.
2. Enter this command, where ‘your text’ is the response you want. Both the “From the Internet” and the “220 your text” must be enclosed in quotes

Set-ReceiveConnector "From the Internet" -Banner "220 your text" [enter]

This will take effect immediately, without requiring you to restart the service.

MailEnable

MailEnable makes it pretty easy, giving you a GUI method to set this, and automagically prepending the 220 code.

1. Launch the ME MMC
2. Go to SMTP connector->Properties->Security Tab.
3. Check the box to Use Alternate Welcome Message.
4. Enter your message in the box.
5. Restart the SMTP service for this to take effect.

Postfix

We will need to edit the file /etc/postfix/main.cf. Do this as root or a sudo user. Postfix will prepend the 220 code.

1. Open /etc/postfix/main.cf with your favourite text editor, or in vi.
2. Find the parameter smtpd_banner. By default, it’s set as:

smtpd_banner = $myhostname ESMTP $mail_name

3. Edit this value as desired.
4. Save the file, and restart Postfix.

Lotus Domino

According to lotus.com, directly editing the NOTES.INI file is unsafe, so we’ll use their instructions for this. Domino will prepend the 220 code.

1. From the Domino Administrator, open the Domino Directory and click the Configuration tab.
2. To modify NOTES.INI settings on the server, click the NOTES.INI Settings tab. This tab lists a number of current settings in the server’s NOTES.INI file.
3. To add or change a setting, click Set/Modify Parameters to display all settings that you can set in the Configuration Settings document. Select the variable SMTPGREETING.
4. Set the string to whatever you want. You can use %s as a variable for the system date/time.
5. Save and close the document.

With that, your mail server will continue to greet other MTAs with the required 220, may give an auditor a laugh, but will not give the bad guys any extra information. Remember, security is all about layers, and this is a fairly simple layer to set up.