smtp.log

In the section discussing the http.log, we noted that most HTTP traffic is now encrypted and transmitted as HTTPS. We face a similar situation with Simple Mail Transfer Protocol (SMTP). For a protocol with “simple” in its name, modern instantiations of SMTP are surprisingly complex.

For the purpose of this article, it’s sufficient to recognize that a mail user agent (MUA) seeking to submit email via SMTP will contact a mail submission agent (MSA). Modern implementations will use ports 587 or 465 TCP, which is encrypted using TLS. Unencrypted implementations will use port 25 TCP.

Because SMTP traffic on ports 587 or 465 TCP is encrypted, we will not see individual emails when observing traffic using those protocols. This section will demonstrate how Zeek reports on email traffic using ports 25, 465, and 587 TCP.

Remember that to see the meaning of each field in the smtp.log, check SMTP::Info.

Inspecting SMTP Traffic

The following is a capture of an SMTP session retrieved from an online packet capture database. I have reconstructed the session using tcpflow and edited it to remove material not necessary to make my point.

SMTP server: 220-xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

SMTP client: EHLO GP

SMTP server: 250-xc90.websitewelcome.com Hello GP [122.162.143.157]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP

SMTP client: AUTH LOGIN

SMTP server: 334 VXNlcm5hbWU6

SMTP client: Z3VycGFydGFwQHBhdHJpb3RzLmlu

SMTP server: 334 UGFzc3dvcmQ6

SMTP client: cHVuamFiQDEyMw==

SMTP server: 235 Authentication succeeded

SMTP client: MAIL FROM: <gurpartap@patriots.in>

SMTP server: 250 OK

SMTP client: RCPT TO: <raj_deol2002in@yahoo.co.in>

SMTP server: 250 Accepted

SMTP client: DATA

SMTP server: 354 Enter message, ending with "." on a line by itself

SMTP client: From: "Gurpartap Singh" <gurpartap@patriots.in>
To: <raj_deol2002in@yahoo.co.in>
Subject: SMTP
Date: Mon, 5 Oct 2009 11:36:07 +0530
Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==
Content-Language: en-us
x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=
x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}

This is a multipart message in MIME format.

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: multipart/alternative;
.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello



I send u smtp pcap file

Find the attachment



GPS


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/html;
.charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microso
SMTP client: ft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
...edited...
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>
SMTP client:

<p class=3DMsoNormal>Hello<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>

<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>GPS<o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_0005_01CA45B0.095693F0--

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: text/plain;
.name="NEWS.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
.filename="NEWS.txt"

Version 4.9.9.1
* Many bug fixes
* Improved editor
...edited...
SMTP client: From: "Gurpartap Singh" <gurpartap@patriots.in>
To: <raj_deol2002in@yahoo.co.in>
Subject: SMTP
Date: Mon, 5 Oct 2009 11:36:07 +0530
Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==
Content-Language: en-us
x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=
x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}

This is a multipart message in MIME format.

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: multipart/alternative;
.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello



I send u smtp pcap file

Find the attachment



GPS


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/html;
.charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas
SMTP client: -microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
...edited...
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div cl
SMTP client: ass=3DSection1>

<p class=3DMsoNormal>Hello<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>

<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>GPS<o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_0005_01CA45B0.095693F0--

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: text/plain;
.name="NEWS.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
.filename="NEWS.txt"

Version 4.9.9.1
* Many bug fixes
* Improved editor
...edited...
* Allow user to specify an alternate configuration file in Environment =
Options=20
...edited...
Version 4.9.4.1 (5.0 beta 4.1):

* back to gcc 2.95.3
* Profiling support
* new update/packages checker (vUpdate)
* Lots of bugfixes

------=_NextPart_000_00
SMTP client: 04_01CA45B0.095693F0--

.

SMTP server: 250 OK id=1Mugho-0003Dg-Un

SMTP client: QUIT

SMTP server: 221 xc90.websitewelcome.com closing connection

Looking at these transcripts, it looks like a single message in text and HTML formats, sent with Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>, was transmitted. It included an attachment that looks like the release notes for software. Let’s see what Zeek can make of this.

Inspecting the smtp.log

One of the best aspects of Zeek is making sense of all of the information present in a protocol that Zeek understands. Here is the entry from the smtp.log for the email shown above.

{
  "ts": 1254722768.219663,
  "uid": "C1qe8w3QHRF2N5tVV5",
  "id.orig_h": "10.10.1.4",
  "id.orig_p": 1470,
  "id.resp_h": "74.53.140.153",
  "id.resp_p": 25,
  "trans_depth": 1,
  "helo": "GP",
  "mailfrom": "gurpartap@patriots.in",
  "rcptto": [
    "raj_deol2002in@yahoo.co.in"
  ],
  "date": "Mon, 5 Oct 2009 11:36:07 +0530",
  "from": "\"Gurpartap Singh\" <gurpartap@patriots.in>",
  "to": [
    "<raj_deol2002in@yahoo.co.in>"
  ],
  "msg_id": "<000301ca4581$ef9e57f0$cedb07d0$@in>",
  "subject": "SMTP",
  "last_reply": "250 OK id=1Mugho-0003Dg-Un",
  "path": [
    "74.53.140.153",
    "10.10.1.4"
  ],
  "user_agent": "Microsoft Office Outlook 12.0",
  "tls": false,
  "fuids": [
    "Fel9gs4OtNEV6gUJZ5",
    "Ft4M3f2yMvLlmwtbq9",
    "FL9Y0d45OI4LpS6fmh"
  ]
}

Fields like the mailfrom, rcptto, from, and to fields are also easy to see in this log output. The user_agent, IP addresses involved in transmission (path), and the msg_id are also easy to find. Finally, Zeek provides three file identifiers that we can use to find associated extracted files, if any are present.

Inspecting Extracted Files

A look into the extracted_files/ directory yields the following entries:

$ file extract_files/*
extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt: ASCII text, with CRLF line terminators
extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt: ASCII text, with CRLF line terminators

We see two files here, both in ASCII text format. They have two of the three file identifiers seen in the smtp.log entry. The third is likely not present because this instance of Zeek was configured to only extract files in text format.

Let’s look at the two files using the head application, which by default only provides the first 10 lines.

$ head extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt
Hello



I send u smtp pcap file

Find the attachment
$ head extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt
Version 4.9.9.1
* Many bug fixes
* Improved editor

Version 4.9.9.0
* Support for latest Mingw compiler system builds
* Bug fixes

Version 4.9.8.9
* New code tooltip display

The first file is the content of the email message. The second file is the beginning of the attachment.

Inspecting Zeek Logs for Traffic to Port 465 TCP

Analysts are more likely to find encrypted SMTP traffic in modern environments. Encrypted SMTP traffic will likely use either port 465 TCP or 587 TCP. In this example, we will look at Zeek logs for SMTP traffic using port 465 TCP.

You may see port 465 TCP as “SMTPS,” meaning “SMTP Secure.” This is a defacto standard, although it was not officially ratified by the Internet Assigned Numbers Authority (IANA). In fact, IANA has assigned port 465 TCP to the “URL Rendezvous Directory for SSM,” where SSM probably means Source-Specific Multicast (SSM). However, IANA’s Service Name and Transport Protocol Port Number Registry also lists “Message Submission over TLS” for port 465 TCP, which is the encrypted version of its entry for port 25 TCP and SMTP.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

In any case, for a sample SMTPS of port 465 TCP traffic for SMTP connection, Zeek produced the following logs.

First is a conn.log entry, where SSL is seen as the service:

{
  "ts": "2020-08-15T13:14:33.101858Z",
  "uid": "CZ4iBM3vh98hH5GmV",
  "id.orig_h": "192.168.4.43",
  "id.orig_p": 61329,
  "id.resp_h": "74.125.192.108",
  "id.resp_p": 465,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.08411312103271484,
  "orig_bytes": 348,
  "resp_bytes": 3257,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADdafF",
  "orig_pkts": 11,
  "orig_ip_bytes": 800,
  "resp_pkts": 10,
  "resp_ip_bytes": 3669,
  "community_id": "1:NArgsDn5hgq6xjy6xTiMPZCgDKE="
}

Zeek created two files.log entries for observed x509 certificates:

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "fuid": "F2cHKgS8RS2OyLdI4",
  "tx_hosts": [
    "74.125.192.108"
  ],
  "rx_hosts": [
    "192.168.4.43"
  ],
  "conn_uids": [
    "CZ4iBM3vh98hH5GmV"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "MD5",
    "SHA1"
  ],
  "mime_type": "application/x-x509-user-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1228,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "772f22ceaa7d6e285a9068718e8251af",
  "sha1": "5849d577c3f434125724459e3b32025247fda56d"
}

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "fuid": "Fl9EEK26t5qzDVW3vf",
  "tx_hosts": [
    "74.125.192.108"
  ],
  "rx_hosts": [
    "192.168.4.43"
  ],
  "conn_uids": [
    "CZ4iBM3vh98hH5GmV"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "MD5",
    "SHA1"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1102,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "dbb23c939236012e71d5f44dbc2acea0",
  "sha1": "dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2"
}

Finally Zeek created a ssl.log entry with a server_name field that helps us see that the encrypted traffic was probably SMTP:

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "uid": "CZ4iBM3vh98hH5GmV",
  "id.orig_h": "192.168.4.43",
  "id.orig_p": 61329,
  "id.resp_h": "74.125.192.108",
  "id.resp_p": 465,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "smtp.gmail.com",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "F2cHKgS8RS2OyLdI4",
    "Fl9EEK26t5qzDVW3vf"
  ],
  "client_cert_chain_fuids": [],
  "validation_status": "ok"
}

Inspecting Zeek Logs for Traffic to Port 587 TCP

The default server port for encrypted SMTP message submission is port 587 TCP.

For a sample SMTPS of port 587 TCP traffic for SMTP connection, Zeek produced the following logs.

First is a conn.log entry, where SSL and SMTP are seen as the services:

{
  "ts": "2020-08-09T23:31:46.626484Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "proto": "tcp",
  "service": "ssl,smtp",
  "duration": 61.12906002998352,
  "orig_bytes": 1659,
  "resp_bytes": 7198,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShAdDafFr",
  "orig_pkts": 29,
  "orig_ip_bytes": 3179,
  "resp_pkts": 26,
  "resp_ip_bytes": 8534,
  "community_id": "1:wM+UdwdNy9VK/LEhFBTcQCtAqo8="
}

Note that is different from the port 465 TCP session, where only SSL was noted.

Next are three files.log entries for x509 certificates.

{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "FmLTdUtlSHFynFf4j",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-user-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 3939,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "484d47f1b847d67981eade5b2b1f5618",
  "sha1": "c262f01e83d6ce0c361e8b049e5be8fe6e55806b"
}
{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "F5ITBU2e5kcvYpOZJd",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1092,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "48f0e38385112eeca5fc9ffd402eaecd",
  "sha1": "8e8321ca08b08e3726fe1d82996884eeb5f0d655"
}
{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "F453Xk1oZcMiI6X3a7",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 856,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "f775ab29fb514eb7775eff053c998ef5",
  "sha1": "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212"
}

Next we have a smtp.log entry that shows the clear text fields Zeek could extract prior to the negotiation of encryption:

{
  "ts": "2020-08-09T23:31:46.696892Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "trans_depth": 1,
  "helo": "[192.168.4.41]",
  "last_reply": "220 2.0.0 Ready to start TLS",
  "path": [
    "17.42.251.41",
    "192.168.4.41"
  ],
  "tls": true,
  "fuids": [],
  "is_webmail": false
}

Finally we have a ssl.log entry with a helpful server_name implying that this SMTP traffic.

{
  "ts": "2020-08-09T23:31:46.800843Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "curve": "secp256r1",
  "server_name": "p71-smtp.mail.me.com",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "FmLTdUtlSHFynFf4j",
    "F5ITBU2e5kcvYpOZJd",
    "F453Xk1oZcMiI6X3a7"
  ],
  "client_cert_chain_fuids": [],
  "validation_status": "ok"
}

It is helpful that the more standardized protocol running on port 587 TCP has more SMTP-related coverage, despite being encrypted.

Other Email Protocols: IMAP over TLS

Before finishing this section, it might be helpful to look at two other email protocols and what Zeek makes of them.

Internet Message Access Protocol (IMAP) is a protocol that clients use to retrieve email from mail servers. The server for the clear-text variant listens on port 143 TCP. The encrypted variant, IMAP over TLS (referred to earlier as IMAP over SSL), listens on port 993 TCP.

There is currently no imap.log created by Zeek for the unencrypted or encrypted variants.

The following example shows what Zeek sees when IMAP over TLS is active on port 993 TCP.

Zeek creates a conn.log entry, as per usual, with the next service identified as SSL:

{
  "ts": "2020-08-17T03:01:16.752745Z",
  "uid": "CZzvVe1KOD9D1TewCk",
  "id.orig_h": "192.168.4.23",
  "id.orig_p": 61579,
  "id.resp_h": "172.253.122.108",
  "id.resp_p": 993,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.8354301452636719,
  "orig_bytes": 1582,
  "resp_bytes": 2499,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADadFfR",
  "orig_pkts": 37,
  "orig_ip_bytes": 3482,
  "resp_pkts": 35,
  "resp_ip_bytes": 4327,
  "community_id": "1:Ug0SOBN+9zdqsSiesc5zQf9mr+I="
}

The server_name in the ssl.log entry indicates that this is a IMAP session.

{
  "ts": "2020-08-17T03:01:16.865252Z",
  "uid": "CZzvVe1KOD9D1TewCk",
  "id.orig_h": "192.168.4.23",
  "id.orig_p": 61579,
  "id.resp_h": "172.253.122.108",
  "id.resp_p": 993,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "imap.gmail.com",
  "resumed": true,
  "established": true
}

Note the use of TLS 1.3. Because this protocol is used, we do not have certificate details, i.e., there are no files.log or x509.log details.

Other Email Protocols: POP over TLS

A protocol similar to IMAP using a different port is Post Office Protocol (POP). The traditional unencrypted server listens on port 110 TCP. The encrypted variant listens on port 995 TCP. As before, here are two entries.

There is currently no pop.log created by Zeek for the unencrypted or encrypted variants.

The following example shows what Zeek sees when POP over TLS is active on port 995 TCP.

Zeek creates a conn.log entry, as per usual, with the next service identified as SSL:

{
  "ts": "2020-07-02T21:19:34.048427Z",
  "uid": "CzhwYd95h2GWh9bD8",
  "id.orig_h": "192.168.4.42",
  "id.orig_p": 50938,
  "id.resp_h": "142.250.31.109",
  "id.resp_p": 995,
  "proto": "tcp",
  "service": "ssl",
  "duration": 11.121870994567871,
  "orig_bytes": 2056,
  "resp_bytes": 1034478,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADadtfFr",
  "orig_pkts": 226,
  "orig_ip_bytes": 11156,
  "resp_pkts": 865,
  "resp_ip_bytes": 1075618,
  "community_id": "1:41G4TR4OvkRdEhCPft5bqJWyJVc="
}

The server_name in the ssl.log entry indicates that this is a IMAP session.

{
  "ts": "2020-07-02T21:19:34.067004Z",
  "uid": "CzhwYd95h2GWh9bD8",
  "id.orig_h": "192.168.4.42",
  "id.orig_p": 50938,
  "id.resp_h": "142.250.31.109",
  "id.resp_p": 995,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "pop.gmail.com",
  "resumed": true,
  "established": true
}

Again note the use of TLS 1.3. Because this protocol is used, we do not have certificate details, i.e., there are no files.log or x509.log details.

Conclusion

This section showed how Zeek renders logs for SMTP traffic, whether using an older clear text or modern encrypted version. It is helpful to query Zeek logs periodically to determine what sorts of SMTP traffic is present in your environment.