Postfix - Checking for an Open Relay


Open relays are a bad thing - they allow anyone to send email from your mail server. The mail server does not check that it is authorized to send mail from the mail address on the third-party email.

What this means is that anyone can send email via your Cloud Server IP from any mail address. This tends to annoy people and your IP ends up on blacklists. Also, your legitimate email is not being received by the people you are sending it to.

Checking

By default, the Postfix mail server application does not run as an open relay. However, this does not mean we should be relaxed in our security checks.

The good news is that testing for the running of an open relay is very easy to do. There are online services that can conduct checks for us, or we can try sending unauthorized mail through the server ourselves.

Browser-Based Checking

There are many open relay testing applications on the Internet. Type open relay test in any browser to find out more information on open relays.

One result that comes up is this service:

http://mxtoolbox.com/diagnostic.aspx

For this service, all you need to do is enter your mail domain in the "Mail Server:" field. If it comes back with an error like "Invalid hostname", your server passed the test (in other words, didn't agree to relay email).

Checking with a mail client

Another way to test your SMTP server is to set up a machine that shouldn't be allowed to use the server to try and send email through it.

You can use your workstation for this, assuming you haven't configured your SMTP server to allow it access. If you have, temporarily remove it from the permissions list for this test.

Configure your mail client to use your server as its outgoing (SMTP) mail server. Don't enter authentication information, just use the server address.

With that done, try sending a message. Address it to anyone (even yourself) - just make sure the address isn't one handled by the mail server you're testing.

If the mail goes through, you have an open relay. That's a bad thing.

If the email is bounced back to you, you'll know your mail server isn't letting just anybody send messages through it. Rejoice, and restore your mail client's settings to what they were before you messed with its outgoing mail server.

Summary

By default, Postfix does not run as an open relay. However, checking for one is very simple and helps to reduce your Cloud Server IP ending up on a spam blacklist.

As with most of our articles, there is plenty of additional technical material available about this topic that is not covered here, as there simply isn't the space.

However, as soon as you install and set up any mail server, checking for an open relay is one of the basic checks that should be performed.  For more information on setting up a mail server on Linux, return to the first article in this series about installing and configuring postfix.



Was this content helpful?




© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER