uCheckeruChecker

Open relay: what it is and why it gets servers blacklisted

An open relay is a mail server that accepts and forwards messages from any sender to any recipient, no authentication required. The server never checks whether the connecting client is allowed to use it.

Historical background

In the early internet (the 1980s and early 1990s), this was normal. Mail servers relayed for each other freely. SMTP (RFC 821, 1982) had no mandatory authorization built in.

That changed when spammers started exploiting third-party servers at scale. By the late 1990s, open relay was a known vulnerability. DNSBL blacklists appeared, and servers with open relay configurations got listed automatically. Today an open relay is a misconfiguration that gets a server blocked within hours.

How open relay works

A properly configured mail server relays in exactly two situations:

  1. The message is addressed to a local user (delivery to its own domain).
  2. The sender authenticated with SMTP AUTH — in that case the server acts as a relay for authorized clients.

An open relay ignores both conditions. Anyone can connect, set a fake sender address, and blast millions of messages. All the bounces and abuse complaints hit the open server's IP, not the spammer's.

Consequences for the server owner

  • Blacklisting. Spamhaus, Barracuda, SpamCop and similar DNSBL services add the IP within hours. After that, legitimate mail from that IP gets rejected by receiving servers.
  • Server overload. The mail queue bloats, CPU and disk max out, and real mail stops going through.
  • Legal liability. Some jurisdictions hold the server owner liable for spam relayed through their system, even without their knowledge.
  • Hosting suspension. The hosting provider may kill the account outright when spam activity is detected.

How to check if a server is an open relay

Testing is straightforward. Connect to the server on port 25, send EHLO, then try RCPT TO for an external address without authenticating first:

EHLO test.example.com

MAIL FROM:<test@test.example.com>

RCPT TO:<someone@gmail.com>

If the server returns 250 OK for the external address without any prior authentication, it is an open relay. A correctly configured server returns 550 Relay access denied or 554 Relay denied.

Online tools like MXToolbox and mail-tester.com run the same check automatically. Test immediately after setup, and again after any significant configuration update.

How to close an open relay

In Postfix, relay control is in the smtpd_relay_restrictions parameter. The correct configuration:

smtpd_relay_restrictions =

permit_mynetworks,

permit_sasl_authenticated,

reject_unauth_destination

Local networks and authenticated users get through. Everything else attempting to relay to external addresses is rejected.

Open relay and email validation

When an email validator performs SMTP verification, it connects to the recipient's server and checks whether it accepts mail for a specific mailbox. If that server is an open relay, it returns 250 OK for every address, including ones that do not exist. The result is a false positive: the address looks valid when it may not be.

Any validator worth using detects this pattern and marks the domain as unreliable for SMTP verification rather than trusting the 250.

uChecker watches how the mail server behaves during address checks. When an MTA accepts everything without discrimination, that gets factored into the result. You get a score that reflects what the server actually does, not just a raw 250 OK from an unreliable server.

open relaySMTP relayspammisconfigurationemail security
← Glossary