Recent Changes - Search:
Opensmtpd /

Avoid Open Relays

An open mail relay allows unauthenticated, untrusted Internet users to send mail. Open mail relays can be exploited by spammers to hide the origin of their mail. If a spammer uses a mail server as an open relay, that mail server will get blacklisted by all major mail providers. For this reason, it is important to avoid a misconfiguration that will result in an unintentional open mail relay.

Dangers of open relays

  1. An open relay can be used to send malware (viruses, trojans, or worms)
  2. An open relay can be used to send spam
  3. The IP address and domain of the relay may get blacklisted and put on a DNS blacklist

Sample Config

Below is a sample misconfigured action and match rule pair for smtpd.conf(5) (do NOT use this configuration): 

action "outbound" relay src <hosts>
match from any for any action "outbound"

WARNING: Do NOT use this above configuration. This configuration will be exploited by spammers to flood the Internet with junk mail, and the mail server will get blacklisted.

This rule will cause all email to get relayed to any external mail server without any authentication of the sender. This is a '''dangerous misconfiguration'''!

Testing for Open Mail Relays

netcat can be used to test if a mail server is an open relay: 

$ nc example.com 25 
220 example.com ESMTP OpenSMTPD
HELO junkmail.example
250 example.com Hello junkmail.example [198.51.100.2], pleased to meet you
MAIL FROM: <spammer@junkmail.example>
250 2.0.0 Ok
RCPT TO: <victim@otherplace.com>
550 Invalid recipient: <victim@otherplace.com>

This example attempts to send email from spammer@junkmail.example to victim@otherplace.com using example.com as an open relay. Notice the 550 Invalid recipient error message: the mail server correctly rejects the mail because the sender is not trusted and the recipient is destined for an external host.

If the mail server example.com does not return Invalid recipient or a similar rejection message, it is likely running an open mail relay. For example: 

$ nc example.com 25 
220 example.com ESMTP OpenSMTPD
HELO junkmail.example
250 example.com Hello junkmail.example [198.51.100.2], pleased to meet you
MAIL FROM: <spammer@junkmail.example>
250 2.0.0 Ok
RCPT TO: <victim@otherplace.com>
250 2.1.5 Destination address valid: Recipient ok

Notice this time, example.com replies with Recipient ok -- even though the mail comes from a spoofed sender to an external host. In other words, the mail server example.com will allow anyone to use this server to spam others with forged addresses! This must be fixed immediately to avoid getting blacklisted.

How to Fix

Check the smtpd.conf(5) ruleset to ensure that unauthenticated, untrusted users are never allow to relay mail to external hosts. Only allow authenticated or trusted senders should be allowed to relay mail to external hosts.