SECURITY GUIDE

Open Relay Test: Protect Your SMTP Server from Spam

How to check if your mail server is an open relay, why it's dangerous and how to fix it permanently.

Open relay: the spammers' open door

An SMTP server is an open relay when it accepts and forwards email from any sender to any recipient without requiring authentication. In the '90s this was the standard configuration — servers trusted each other. Today it is a critical vulnerability: spammers scan the Internet looking for open relays to send millions of spam emails using other people's servers. The result for the server owner is devastating: the IP ends up on blacklists within hours, legitimate emails are rejected, the server is overloaded by outgoing spam, and there can be legal consequences.

Our Open Relay Test simulates sending an email through the server without authentication, to an external domain. If the server accepts the message and attempts delivery, it is an open relay. If it rejects with an error like "Relay access denied" (5xx code), the server is correctly configured. This test is non-destructive — the test email is not actually delivered, but the server's behavior during the attempt reveals whether it is vulnerable.

How to test and diagnose

Manual open relay test via telnet
$ telnet mail.esempio.com 25
220 mail.esempio.com ESMTP
EHLO test
250 OK
MAIL FROM:<spammer@esterno.com>
250 OK
RCPT TO:<vittima@altrodominio.com>

# Se risponde 250 OK → OPEN RELAY (vulnerabile!)
# Se risponde 550/553 → CHIUSO (corretto!)

The Open Relay Test automates this procedure by testing different variants: direct relay, relay with partial authentication, relay via non-standard SMTP parameters. After the test, if the server is secure, also check other aspects with SMTP Diagnostics for a complete picture of SMTP server health: TLS, banner, capabilities and response times.

Fixing an open relay

The fix depends on the mail server software. On Postfix (the most common on Linux), the key configuration is smtpd_relay_restrictions in main.cf: it must include permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination. On Exchange, check the Receive Connector and relay settings. On Sendmail, verify the access.db file. After fixing, always re-run the test to confirm the relay is effectively closed.

If your server was an open relay and the IP is already blacklisted, the fix is only the first step. Check blacklists with Blacklist Check and proceed with delisting. Monitor server logs for the next 24-48 hours to ensure there are no further abuse attempts. Also implement SPF Lookup and DMARC to protect your domain from spoofing, regardless of relay configuration.

Prevention is fundamental: after every mail server software update, after every configuration change, and after migration to a new server, run the open relay test. Some updates can reset the configuration to defaults, and some defaults are not secure. A periodic automated test (weekly or monthly) ensures the server stays protected over time.

Try Open Relay Test for free
Check if a mail server is an exploitable open relay for spam
Use Open Relay Test >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →