# Beware Open Relays!

An open mail relay allows any Internet user to send or receive messages using that server to hide the sender. Sometimes it can be used to provide privacy and bypass censorship, but often times it is unintentional. Your server could be abused to send spam because of a misconfiguration of your server.

Chances are, if you're reading this, it's because your mail server has been banned for being an open mail relay.

## Why prevent open relays?

# It could be used to send malware (viruses, trojans, or worms)

# It can be used to send spam

# Your IP will get blacklisted and put on a [DNS blacklist](/openbsd/dnsbl)

## Sample Config

Here is a sample **misconfiguration** (do **NOT** use these configs):

    match from any for any relay


If you're using [dkimproxy](/openbsd/dkimproxy):

    match from any for any action "relay_dkim"


Don't use either of the above configurations, or your mail server will be used by spammers and crackers to flood the internet with trash mail.

## Testing for Open Mail Relays

Here's how we test if a mail server is an open relay using [netcat](/netcat/SMTP):

    $ nc example.com 25 
    220 example.com ESMTP OpenSMTPD
    HELO fakedomain.com
    250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you
    MAIL FROM: <criminal@fakedomain.com>
    250 2.0.0 Ok
    RCPT TO: <victim@otherplace.com>
    550 Invalid recipient: <victim@otherplace.com>


In this example, you are pretending to send email from criminal@fakedomain.com to

victim@otherplace.com using example.com as a relay.

You should get `Invalid recipient` or some similar rejection message.

If you do not, example.com is likely running an open mail relay.

Here's how it appears when the mail server is improperly configured:

    $ nc example.com 25 
    220 example.com ESMTP OpenSMTPD
    HELO fakedomain.com
    250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you
    MAIL FROM: <criminal@fakedomain.com>
    250 2.0.0 Ok
    RCPT TO: <victim@otherplace.com>
    250 2.1.5 Destination address valid: Recipient ok


Notice this time it says `Recipient ok` even though it comes from a spoofed sender to an external domain. This will allow anyone to use **your** server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!

## How to Fix

You will want to check your [smtpd.conf](/openbsd/opensmtpd) ruleset to make sure you **never** allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.

## See Also

## Open Mail Relay