Postfix - checking for an open relay

Open relays are a bad thing - they allow anyone to send email from your mail server: it doesn't check that it is authorised to send mail from the mail address on the third party email.

In plain English that means that anyone can send email via your Slice IP from any mail address. This tends to annoy people and your IP will end up on blocklists and your legitimate email will be banned.


Postfix

By default, postfix does not run as an open relay. However, this does not mean we should be lax in our security checks.

Luckily, testing for running an open relay is very easy to do from the command line.

There are also online services that can conduct checks for us.

Command line

The first method we'll look at the is testing from the command line. This does use a third party service to check for us (you can check using telnet and attempting third party mail addresses, but that is a long and tedious method).

Anyway, log into your Slice and enter:

telnet rt.njabl.org 2500

After a few seconds, the service offered by njabl.org will start to test your mail server for running an open relay.

The results are quite lengthy so I won't post it all here. However, all being well, you will see output similar to this:

>>> MAIL FROM:<"relaytestsend@rt.njabl.org"@mail.demoslice.com>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied
>>> RSET
<<< 250 2.0.0 Ok
>>> MAIL FROM:<relaytestsend>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 554 5.7.1 <relaytest@rr.njabl.org>: Relay access denied

Check all the output carefully. Do ensure you are not allowing any relay access.

Browser

There are many dozens (hundreds?) of open relay testing on the net.

To browse them and to find out more about open relays simply enter 'open relay test' into google.

Anyway, one such service is this one:

http://www.abuse.net/relay.html

All you need to do is enter your mail domain in the "Address to test:' field.

In my case, I entered 'mail.demoslice.com'.

At the time of writing, the service conducts 17 different tests and gives a summary of each test.

Happily for me my results were as follows:

All tests performed, no relays accepted.

Nice.

Summary

By default, postfix does not run as an open relay. However, checking for one is very simple and help reduce your Slice IP ending up on a spam blacklist.

As with most articles, there is a lot of background information and technical aspects that are not covered here: there simply isn't the space.

However, the basic checks should be conducted as soon as you install and setup any mail server.

PickledOnion

Article Comments:

samotage commented Thu Aug 07 22:05:45 UTC 2008:

Thanks! I ran the test and my slice seems to pass. (whoot!) Keep up the sweet tipsters.

SAm.

sipskin commented Fri Aug 08 11:18:56 UTC 2008:

Once again, your tutorials/tips are amazing - you are a very knowledgeable person. Without your help, I would have an empty VPS sitting there doing nothing, but thanks to you, I have already secured SSH, set up a webserver, and hopefully, soon a mailserver.

A DNSBL Operator commented Wed Aug 20 03:10:17 UTC 2008:

Good post. I'd love to find these types of instructions for ALL mail server software!

BTW - As a DNSBL operator, even when the mail server isn't an open relay, I'm amazed at the number times that an organization will allow outgoing port 25 traffic from any computer, and then have their client's computers set up to be "seen" on the Net as coming from the same IP as their mail server's IP.

This is a ticking time bomb. The moment that a client machine gets infected with a botnet, the mail server's IP then gets blacklisted.

SOLUTION: Put the mail server on its own IP, block all outgoing port 25 traffic not from the mail server, require a user name and password for all smtp sessions attempting to sending outside the mail server.

Glen commented Fri Sep 05 13:22:05 UTC 2008:

telnet rt.njabl.org 2500 did not start an automatic test. Fortunately abuse.net worked fine.

Shawn commented Mon Sep 15 16:33:59 UTC 2008:

I have followed all the email setup articles to the letter and all have went great, but when trying this on my server i got the response:

"DBI connect('relaytest:db.njabl.org','relaytest',...) failed: Can't connect to MySQL server on 'db.njabl.org' (110) at /usr/local/sbin/rt2 line 417 re-testing 209.20.89.68 Nobody home. Connection closed by foreign host"

Which im sure seem like their site was down, so i tried the abuse site and i got:

"The host couldn't be reached for testing."

I pastebin'ed my main.cf file here (changing my domin name ofc) http://pastebin.com/f445b6d88

Any ideas on what it could be?

mick commented Tue Sep 16 20:44:33 UTC 2008:

hi, i followed along with ur ubuntu hardy tutorials (1 & 2) but now when i do a telnet rt.njabl.org 2500 i get: mickdelaney ~: telnet rt.njabl.org 2500 -bash: telnet: command not found

i did a sudo apt-get install telnetd, i'm a linux newbie.. any ideas? cheers..

Shawn commented Thu Sep 18 21:52:04 UTC 2008:

I figured out what my problem was, apparently i somehow forgot to open my port 25 in the iptables. once i changed this all was running smoothly. thanks pickled.

Ian commented Thu Oct 16 16:55:05 UTC 2008:

@mick: I realize this is a month late, but you want to install the telnet package (sudo apt-get install telnet), NOT telnetd. The telnetd package is the telnet daemon, and it's very unlikely you want that installed on your slice.

Mauricio commented Tue Dec 09 01:25:15 UTC 2008:

This is made by a pro. Congratulations, i never had the chance to configure everything and im on my way and its very clear.

Daniel Hardman commented Wed Dec 31 07:32:14 UTC 2008:

Doesn't work for me:

user@mail:~$ telnet rt.njabl.org 2500 testing 173.45.xxx.xxx Nobody home. Connection closed by foreign host.

Same results from abuse.net.

I followed all previous tutorials and everything appears to work. I don't think I forgot to open my port:

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp

I can send mail just fine, and the whole telnet article was smooth as silk.

The only thing that's unique to my config is that I have another mail server on my domain, and DNS isn't managed by slicehost. I created my DNS records on slicehost to satisfy internal lookups, and dup'ed them at dyndns.org.

Any ideas?

Daniel Hardman commented Wed Dec 31 07:52:23 UTC 2008:

Okay, I figured out my problem. Although I did have a line in my firewall rules that allowed incoming smtp requests, it appeared in the wrong order, and was being ignored. Once I rewrote my rules, all was well.

Thanks for the great step-by-step instructions.

S DeBaun commented Fri May 15 08:06:28 UTC 2009:

Receiving the same error as Daniel Hardman above. What's this about the wrong order in the "firewall rules"? Anyone?

Brian Armstrong commented Mon May 18 21:08:57 UTC 2009:

Got same message as Daniel Hardman. I'm hoping/assuming this means nobody can connect to an smtp server remotely and email can only be sent locally from the slice?

Thanks! Brian

Matt LaChance commented Tue Sep 01 21:52:47 UTC 2009:

Does anyone know anything about setting up an SMTP server that can be used remotely (i.e. from thunderbird)? There must be a way to do this securely.

Phil commented Fri May 14 12:24:34 UTC 2010:

Great! it works!!!

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)