Open relays are a bad thing - they allow anyone to send email from your mail server: it doesn't check that it is authorised to send mail from the mail address on the third party email.
In plain English that means that anyone can send email via your Slice IP from any mail address. This tends to annoy people and your IP will end up on blocklists and your legitimate email will be banned.
By default, postfix does not run as an open relay. However, this does not mean we should be lax in our security checks.
Luckily, testing for running an open relay is very easy to do from the command line.
There are also online services that can conduct checks for us.
The first method we'll look at the is testing from the command line. This does use a third party service to check for us (you can check using telnet and attempting third party mail addresses, but that is a long and tedious method).
Anyway, log into your Slice and enter:
telnet rt.njabl.org 2500
After a few seconds, the service offered by njabl.org will start to test your mail server for running an open relay.
The results are quite lengthy so I won't post it all here. However, all being well, you will see output similar to this:
>>> MAIL FROM:<"firstname.lastname@example.org"@mail.demoslice.com> <<< 250 2.1.0 Ok >>> RCPT TO:<email@example.com> <<< 554 5.7.1 <firstname.lastname@example.org>: Relay access denied >>> RSET <<< 250 2.0.0 Ok >>> MAIL FROM:<relaytestsend> <<< 250 2.1.0 Ok >>> RCPT TO:<email@example.com> <<< 554 5.7.1 <firstname.lastname@example.org>: Relay access denied
Check all the output carefully. Do ensure you are not allowing any relay access.
There are many dozens (hundreds?) of open relay testing on the net.
To browse them and to find out more about open relays simply enter 'open relay test' into google.
Anyway, one such service is this one:
All you need to do is enter your mail domain in the "Address to test:' field.
In my case, I entered 'mail.demoslice.com'.
At the time of writing, the service conducts 17 different tests and gives a summary of each test.
Happily for me my results were as follows:
All tests performed, no relays accepted.
By default, postfix does not run as an open relay. However, checking for one is very simple and help reduce your Slice IP ending up on a spam blacklist.
As with most articles, there is a lot of background information and technical aspects that are not covered here: there simply isn't the space.
However, the basic checks should be conducted as soon as you install and setup any mail server.