How can I tell if I have an open relay?

Question

I'm trying to work out if I have an open relay on my server. How do I do that?

I've tried http://www.abuse.net/relay.html

and it reports:

Hmmn, at first glance, host appeared to accept a message for relay. THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.

What further tests can I do to determine if the server has an open relay?

Answer 1

You could try setting up a email client to sent email through your server, from an email address that isn't hosted on the same server. If you can successfuly send mail, from an email address at a different domain, without entering a login and password for your SMTP server, then it's probably an open relay.

Answer 2

Eh? As your link tells you, register for the site and it will give you an address @abuse.net, valid for 24 hours. Enter that address into the testing form. If your abuse.net account receives the test email, you have an open relay.

Answer 3

This depends on your MTA and how you've configured it. Ultimately there is only one thing you must do to prevent relaying. Restrict relaying to authenticated users and/or restrict relaying to specific IPs. I prefer to restrict all IPs except localhost on my mail server and require authentication from everyone else.

The common mistake is to allow more IPs than necessary. Imagine a user on a cable modem who decides to allow the roommate's laptop to relay with the statement 192.168.1.0/24 rather than the more specific 192.168.1.0/29. Now anyone else on the /24 can relay off the server.