How to prevent custom servers from becoming open relays?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
An open relay is a mail server that accepts and forwards email from anyone to anywhere, with no authentication required. If your server is misconfigured as an open relay, spammers will find it. Often within hours of it going online. They run automated scanners constantly looking for exactly this. Once they find you, your IP's reputation is gone and you're likely to end up on blocklists.
So The fix is simple in principle: require authentication before allowing relay. Your server should only accept mail from authenticated users or explicitly authorized IP addresses. In Postfix, the relevant configuration is smtpd_relay_restrictions and smtpd_recipient_restrictions. Permit relay only after authentication passes or from trusted internal IPs. Reject everything else.
SMTP AUTH (SASL) is the standard mechanism for requiring credentials before allowing relay. Configure your server to require it on port 587 (submission) and never allow unauthenticated relay on port 25 from external hosts. Port 25 should only accept inbound mail destined for your own domains.
And once you've configured the restrictions, test them. Send mail through your server without authenticating from an external IP. The attempt should fail with a 550 rejection. Then send authenticated mail and verify it goes through. Tools like telnet or swaks let you simulate the SMTP conversation directly and confirm your server behaves correctly.
Also check your IP reputation after launch. If your server was briefly open and got abused before you locked it down, you may need to request removal from blocklists. Our free Blocklist Checker will tell you if your IP has already been listed.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.