Is it possible to determine the mailserver software (MTA) used based on a domain?

Given the domain from the MX record, is it possible to get the name of the mailserver software (MTA) used on this server?

Example

MX record for gmail.com returns (among others) gmail-smtp-in.l.google.com. Is there a way to find out if Google is using e.g. postfix, exim, ...?

Solution 1:

You can not reliably determine all software used by arbitrary recipients, but you can with some certainty attribute most - if you are able to connect^‡ to the server and run some tests. The server name as published in the MX record alone usually includes no information whatsoever about the software used.

Things that commonly help you guess:

• when connecting, the greeting (code 220) will often quite literally spell out Postfix
• common error messages are not strictly standardized - deliberately triggering such error (e.g. syntax, non-existing address, ..) will often return a message unique to one software
• many providers will publish what they use (almost have to, in order to hire specialists)

Things you cannot easily determine:

• providers, even when they do use common and publicly available software, might have applied substantial local customizations
• additional mail exchanges running behind the one you directly con
• deliberately changing behaviour for uncommonly legitimate situations in order to spend less resources on spammers & bots (see "tarpit", "honeypot", ..)

‡ Note that the poking around to collect enough data to gather a good fingerprint is considered abusive by many. If you local law or your ISP considers this abusive, too, this might get you shut down. You might, however, find all the information you need stored in network scanner databases (e.g. Shodan) without having to acquire own data.