Hetzner - DokuWiki

Languages:

Deutsch • English

Inhaltsverzeichnis

1 Mailserver: What is an Open Relay?
2 How Can I Prevent my Mail Server from Open Relay??
- 2.1 Example for Postfix
3 Manual Relay Test per Telnet
4 Collection of Links
- 4.1 Relay Tests per Web Browser
- 4.2 Blacklist Check

Mailserver: What is an Open Relay?

Open relay describes a mail server which forwards emails even though neither the sender nor the recipient are hosted by it. Example: The mail server "mail.bigcompany.com" is to process emails for the domain "bigcompany.com".

What should be permitted:

Mails to e.g. "info@bigcompany.com"
Mails from e.g. "info@bigcompany.com"

but not:

Mails from "buyme@werbefritze-xyz.com" to "user@somewhere-else.com"
Mails with bogus sender addresses from the domain "bigcompany.com", which are sent via this server

These wrongly configured mail servers are usually found automatized within a few minutes of being online and are then used by spammers to send mass mailings.

Apart from the annoyance these advertising messages cause the recipient, extreme costs can be incurred for open relay operators as a result of the traffic generated. Furthermore, the open relay is quickly registered in so-called blacklists causing normal emails from the server to no longer be accepted by many recipients.

How Can I Prevent my Mail Server from Open Relay??

All mail server software does actually have control mechanisms which prevent the unauthorised dispatch of emails.

Basically:

Only allow email dispatch without authentication, if at all, from in-house IP addresses
Enforce authentication techniques such as SMTPAuth (if need be also POP-before-SMTP) for dispatching emails
Only permit the acceptance of emails without authentication for own domains

Example for Postfix

With these configuration entries, Postfix will only permit dispatch of mail by SMTPAuth checked clients.

#### Use SMTP AUTH 
smtpd_sasl_auth_enable = yes
pwcheck_method = saslauthd
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
# nur fuer Outlook Clients
broken_sasl_auth_clients = yes
#### END SMTP AUTH enable

Thanks to stephanw from the forum.

Manual Relay Test per Telnet

telnet mail.meinedomain.de 25

You should receive

220 cygnus.mail-abuse.org ESMTP Postfix

Now a "HELO domain.tld" and then MAIL FROM, RCPT TO, ...

e.g.:

--> HELO xyz.xx
<-- 250 cygnus.mail-abuse.org
--> MAIL FROM: xx@xyz.xx
<-- 250 Ok
--> RCPT TO:<xx@xyz.xx>(Enter a valid email address here.)
<-- 554 <xx@xyz.xx>: Relay access denied

Collection of Links

Relay Tests per Web Browser

http://www.mailradar.com/openrelay/

Uses various standard methods to test if the server is an open relay.

Blacklist Check

http://www.dnsstuff.com/ (dort: "Spam database lookup")

Here a great many DNS blacklists are queried which gives you a good idea of whether your own or another mail server is listed elsewhere.