• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Postfix - Checking for an Open Relay


Open relays are a bad thing - they allow anyone to send email from your mail server. The mail server does not check that it is authorized to send mail from the mail address on the third-party email.

What this means is that anyone can send email via your Cloud Server IP from any mail address. This tends to annoy people and your IP ends up on blacklists. Also, your legitimate email is not being received by the people you are sending it to.

Checking

By default, the Postfix mail server application does not run as an open relay.  However, this does not mean we should be relaxed in our security checks.

The good news is that testing for the running of an open relay is very easy to do from the command line.

There are also online services that can conduct checks for us.

Checking from a Command Line

The first method we'll look at is testing from the command line. This does use a third-party service to check for us. You could check using telnet and attempting third party mail addresses, but that is a long and tedious method.

Log into your Cloud Server and use the following command:

telnet rt.njabl.org 2500

After a few seconds, the service offered by njabl.org begins to test your mail server for the running of an open relay.

The results are quite lengthy so we did not post it all here. However, a portion of the output is similar to this:

>>> MAIL FROM:<"relaytestsend@rt.njabl.org"@mail.democloud.com>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied
>>> RSET
<<< 250 2.0.0 Ok
>>> MAIL FROM:<relaytestsend>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied

Check all the output carefully. Make absolutely sure that you are not allowing any relay access.

Browser-Based Checking

There are many open relay testing applications on the Internet. Type open relay test in any browser to find out more information on open relays.

One result that comes up is this service:

http://www.abuse.net/relay.html

For this service, all you need to do is enter your mail domain in the "Address to test:“ field.

For our example, we entered mail.democloud.com.

At the time of writing, the service conducted 17 different tests and provided a summary of each test.

Our search provided a positive result:

All tests performed, no relays accepted.

Very comforting to know!

Summary

By default, Postfix does not run as an open relay. However, checking for one is very simple and helps to reduce your Cloud Server IP ending up on a spam blacklist.

As with most of our articles, there is plenty of additional technical material available about this topic that is not covered here, as there simply isn't the space.

However, as soon as you install and set up any mail server, checking for an open relay is one of the basic checks that should be performed. This ends the

section on setting up your server so that your applications are able to send email.  For information on how to set up a more robust mail server, please go here.

 








© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER