How to Test If Your Mail Server Is an Open Relay

An open relay is a mail server that accepts and forwards email from any sender to any recipient, regardless of whether either party is local. In the early days of the internet, open relays were common and even helpful. Today, they are one of the most critical email security vulnerabilities. Spammers actively scan for open relays to send millions of unsolicited messages, and a single incident can get your server blocklisted across the internet.

Step 1: Identify Your Mail Server

Before testing, determine which server to check. Look up your domain's MX records with the MX Lookup tool to find your mail server hostnames. If you manage multiple mail servers, test each one individually.

Step 2: Run an Open Relay Test

Enter your mail server hostname or IP in the Open Relay Test tool. It attempts to relay a message through your server from an external address to an external address. If the server accepts the message, it is an open relay.

You can also test manually via telnet:

telnet mail.example.com 25
HELO test.com
MAIL FROM:<test@external.com>
RCPT TO:<test@another-external.com>
DATA
Subject: Relay test
This is a relay test.
.
QUIT

If the server responds with 250 OK to the RCPT TO command for an external address, your server is relaying. A properly configured server returns 550 Relay denied or similar.

Step 3: Close the Relay

If the test reveals an open relay, fix it immediately. Configuration depends on your mail server software:

# Postfix (/etc/postfix/main.cf)
mynetworks = 127.0.0.0/8 [::1]/128
smtpd_relay_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination

# Exim (/etc/exim4/exim4.conf)
# Ensure relay_from_hosts only includes trusted IPs
relay_from_hosts = 127.0.0.1 : ::1

Restart the mail server after making changes and retest with the Open Relay Test tool.

Step 4: Check for Blocklist Damage

If your server was an open relay, it may already be on blocklists. Use the Blacklist Checker to scan for listings. If found, close the relay first, then submit delisting requests to each blocklist. Also check your Spam Score to assess overall reputation damage.

Step 5: Prevent Future Exposure

Add open relay testing to your regular security audit schedule. Test after every mail server update, configuration change, or migration. Also verify your SMTP Banner is hardened and does not expose software versions that could help attackers. Consider implementing SMTP authentication (SASL) for all outbound relay and restricting relay to specific trusted IP ranges.

Frequently Asked Questions

What is an open relay?

An open relay is a mail server that allows anyone on the internet to send email through it, even if the sender is not authenticated or authorized. Spammers exploit open relays to send bulk email while hiding their identity.

What happens if my server is an open relay?

If your server is an open relay, spammers will use it to send spam, phishing, and malware. Your IP will quickly end up on blocklists, legitimate email from your server will be rejected, and your domain reputation will be severely damaged.

How do I fix an open relay?

Configure your mail server to only relay mail for authenticated users or trusted internal networks. In Postfix, set mynetworks to only your trusted IPs and ensure smtpd_relay_restrictions requires authentication. Then retest to confirm the relay is closed.

Related Guides

• How to Test and Harden Your SMTP Banner
• How to Check and Improve Your Domain's Spam Score
• How to Check and Configure Reverse DNS