Postfix - Checking for an Open Relay
Open relays are a bad thing — they allow anyone to send email from your mail server. The mail server does not check that it is authorized to send mail from the mail address on the third-party email.
What this means is that anyone can send email via your Cloud Server IP from any mail address. This tends to annoy people and your IP ends up on blacklists. Also, your legitimate email is not being received by the people you are sending it to.
Checking
By default, the Postfix mail server application does not run as an open relay. However, this does not mean we should be relaxed in our security checks.
The good news is that testing for the running of an open relay is very easy to do from the command line.
There are also online services that can conduct checks for us.
Checking from a Command Line
The first method we’ll look at is testing from the command line. This does use a third-party service to check for us. You could check using telnet and attempting third party mail addresses, but that is a long and tedious method.
Log into your Cloud Server and use the following command:
telnet rt.njabl.org 2500
After a few seconds, the service offered by njabl.org begins to test your mail server for the running of an open relay.
The results are quite lengthy so we did not post it all here. However, a portion of the output is similar to this:
>>> MAIL FROM:<"relaytestsend@rt.njabl.org"@mail.democloud.com>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied
>>> RSET
<<< 250 2.0.0 Ok
>>> MAIL FROM:<relaytestsend>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied
Check all the output carefully. Make absolutely sure that you are not allowing any relay access.
Browser-Based Checking
There are many open relay testing applications on the Internet. Type open relay test in any browser to find out more information on open relays.
One result that comes up is this service:
http://www.abuse.net/relay.html
For this service, all you need to do is enter your mail domain in the "Address to test:“ field.
For our example, we entered mail.democloud.com.
At the time of writing, the service conducted 17 different tests and provided a summary of each test.
Our search provided a positive result:
All tests performed, no relays accepted.
Very comforting to know!
Summary
By default, Postfix does not run as an open relay. However, checking for one is very simple and helps to reduce your Cloud Server IP ending up on a spam blacklist.
As with most of our articles, there is plenty of additional technical material available about this topic that is not covered here, as there simply isn't the space.
However, as soon as you install and set up any mail server, checking for an open relay is one of the basic checks that should be performed. This ends the
section on setting up your server so that your applications are able to send email. For information on how to set up a more robust mail server, please go here.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER
2 Comments
I'm using msmtp/msmtp-mta to
When I run the above test on port 2500 I get "If you are excluded from testing, connect again on port 2501 to force the test."
When I run the test on port 2501 I get "Nobody home. Connection closed by foreign host."
Does this mean I can't be spammed or used as an open relay because I didn't set up my server to receive mail? I don't have a mail. domain, and my mx records point to google apps.
re: msmtp
The best way to harden it would be if you can control the IP address msmtp will bind to. If you can tell it to only listen to localhost (127.0.0.1) then it would guarantee that nothing from outside your server would be able to try and use the smtp service.
Add new comment