id: starttls-mail-detect

info:
  name: STARTTLS Mail Server Detection
  author: r3dg33k
  severity: info
  tags: mail,starttls,network,detect
  description: |
    STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
  metadata:
    max-request: 2

tcp:
  - inputs:
      - data: "65686c6f20636865636b746c730a"
        type: hex
    read-size: 2048

    host:
      - "{{Hostname}}"
      - "{{Host}}:25"

    matchers:
      - type: word
        words:
          - "250-STARTTLS"