How to Test and Harden Your SMTP Banner

Q: How do I change the SMTP banner in Postfix?

In Postfix, set the smtpd_banner parameter in /etc/postfix/main.cf. For example: smtpd_banner = mail.example.com ESMTP. Then reload Postfix with 'postfix reload'. Avoid including $mail_name or $mail_version in the banner.

When a mail server accepts a connection, the first thing it sends is an SMTP banner (the 220 greeting). This banner reveals your server's identity and, if misconfigured, can expose software versions and internal hostnames that attackers exploit. A properly configured SMTP banner improves both security and deliverability.

Test your SMTP banner now

Use our free SMTP Banner Test tool to see exactly what your mail server announces to the world.

Step 1: Check Your Current SMTP Banner

Use the SMTP Banner Test tool to connect to your mail server and retrieve the 220 greeting. You can also test manually:

telnet mail.example.com 25
# or using openssl for port 587/465:
openssl s_client -connect mail.example.com:465

A typical banner looks like:

220 mail.example.com ESMTP Postfix (Ubuntu)

Step 2: Identify Information Leaks

Review your banner for details that should not be public:

Software name and version: Postfix, Exim 4.96, Microsoft ESMTP MAIL Service
Operating system: (Ubuntu), (Debian)
Internal hostnames: Names like server42.internal.corp that reveal infrastructure

Any of these details help an attacker target known vulnerabilities in specific software versions.

Step 3: Configure a Clean Banner

Your SMTP banner should contain only the FQDN and a generic ESMTP greeting. Here are configurations for common mail servers:

# Postfix (/etc/postfix/main.cf)
smtpd_banner = mail.example.com ESMTP

# Exim (/etc/exim4/exim4.conf)
smtp_banner = mail.example.com ESMTP

# Sendmail (/etc/mail/sendmail.mc)
define(`confSMTP_LOGIN_MSG', `mail.example.com ESMTP')

Step 4: Align Banner with Reverse DNS

The hostname in your SMTP banner should match your server's PTR record and forward DNS. Use the Reverse DNS Lookup tool to check your PTR record. If your PTR says mail.example.com, your banner should start with the same hostname. This alignment is checked by many spam filters.

Step 5: Verify and Monitor

After making changes, restart your mail server and run the SMTP Banner Test again to confirm the new banner is active. Check that email delivery still works by sending test messages. Add banner checks to your regular security audit routine alongside Open Relay tests and Spam Score checks.

Frequently Asked Questions

What information should an SMTP banner contain?

An SMTP banner should contain the server's fully qualified domain name (FQDN) and a greeting. It should not expose the mail software name, version number, or operating system details, as this information helps attackers identify known vulnerabilities.

Does the SMTP banner affect email deliverability?

Yes. Some receiving servers check that the SMTP banner hostname matches the PTR record and forward DNS of the sending IP. A mismatch can lower your sender reputation and trigger spam filters.

How do I change the SMTP banner in Postfix?

In Postfix, set the smtpd_banner parameter in /etc/postfix/main.cf. For example: smtpd_banner = mail.example.com ESMTP. Then reload Postfix with postfix reload. Avoid including $mail_name or $mail_version in the banner.

Related Guides