What Is an Open Relay?
An open relay is an SMTP mail server that allows anyone on the internet to send email through it without authentication, including messages that are neither from nor to a local user. Open relays are a critical security misconfiguration exploited by spammers.
How Open Relays Work
A properly configured mail server only accepts email in two scenarios: incoming mail addressed to its own domains, or outgoing mail from authenticated users. An open relay, however, accepts email from any sender to any recipient and forwards it onward. This means anyone can connect to port 25 and instruct the server to deliver email to any address in the world, effectively using your infrastructure as a free, anonymous email launcher.
Spammers actively scan the internet for open relays. Once they find one, they route massive volumes of spam and phishing email through it. The spam appears to come from the relay server's IP address, making it nearly impossible to trace back to the actual sender.
Security Risks
Running an open relay exposes you to severe consequences. Your server's IP address will be added to DNS-based blocklists (like Spamhaus and Barracuda) within hours, causing all legitimate email from your server to be rejected. You may face massive bandwidth consumption, legal liability for facilitating spam, and potential service termination from your hosting provider.
Beyond spam, open relays can be used to send phishing emails that impersonate your organization, distribute malware, and launch social engineering attacks. The reputational damage extends beyond just email deliverability. Proper SPF, DKIM, and DMARC configuration complement relay restrictions but cannot replace them.
How to Test for Open Relay
Testing for open relay involves connecting to your SMTP server from an external network and attempting to send mail to an external address. The server should reject the relay attempt. Automated tools run multiple test variations including different envelope sender formats, recipient formats, and SMTP command sequences to ensure the server is not vulnerable under any condition.
Frequently Asked Questions
How do I check if my server is an open relay?
Use an open relay testing tool that connects to your SMTP server on port 25 and attempts to relay mail through it. The tool runs multiple test scenarios with different sender and recipient combinations. If the server accepts any relay attempt, it is misconfigured.
What happens if my mail server is an open relay?
Spammers will discover and exploit it, often within hours. Your IP will be blocklisted, your legitimate email will bounce, and you may face bandwidth overages, legal liability, and hosting termination.
Were open relays always considered bad?
No. In the early internet, open relays were standard and even necessary for routing email between disconnected networks. As spam became a major problem in the late 1990s, open relaying was recognized as a security risk. Today it is universally considered a misconfiguration.