Beware Mail Open Proxies!

An open proxy allows any Internet user to send or receive messages using that server to hide the sender. Sometimes it can be used to provide privacy for users and bypass censorship, but often times it is unintentional. Your server could be abused to send spam because of a misconfiguration of your server.

An open proxy for mail is referred to as an open mail relay. Chances are, if you're reading this, it's because your mail server has been banned for being an open mail relay.

Why stop open proxies?

  1. It could be used to send malware (viruses, trojans, or worms)
  2. It can be used to send spam
  3. Your IP will get blacklisted and put on a DNS blacklist?

Sample Config

Here is a sample misconfiguration (do NOT use these configs):

match from any for any relay

If you're using dkimproxy:

match from any for any action "relay_dkim"

Don't use either of the above configurations, or your mail server will be used by spammers and crackers to flood the internet with trash mail.

Testing for Open Mail Relays

Here's how we test sending a letter using netcat:

$ nc ircnow.org 25 
220 ircnow.org ESMTP OpenSMTPD

Next, we type HELO followed by our sending domain:

HELO example.com
250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you

Afterwards, we type our sending mail address:

MAIL FROM: <test@example.com>
250 2.0.0 Ok

And the destination mail address:

RCPT TO: <jrmu@ircnow.org>
250 2.1.5 Destination address valid: Recipient ok

Then we type DATA followed by our email:

DATA
354 Enter mail, end with "." on a line by itself
Subject: Alpha Bravo Charlie Delta

Echo Foxtrot Golf Hotel

We then type . to end the email, then QUIT:

.
250 2.0.0 e57f9a36 Message accepted for delivery
QUIT
221 2.0.0 Bye

Here's the complete process:

$ nc ircnow.org 25 
220 ircnow.org ESMTP OpenSMTPD
HELO example.com
250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you
MAIL FROM: <test@example.com>
250 2.0.0 Ok
RCPT TO: <jrmu@ircnow.org>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: Alpha Bravo Charlie Delta

Echo Foxtrot Golf Hotel
.
250 2.0.0 e57f9a36 Message accepted for delivery
QUIT
221 2.0.0 Bye

Open Mail Relay

Here's how a proper mail server (not an open relay) will do when you send from a spoofed domain to another external domain:

$ nc ircnow.org 25 
220 ircnow.org ESMTP OpenSMTPD
HELO example.com
250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you
MAIL FROM: <test@example.com>
250 2.0.0 Ok
RCPT TO: <ircnownetwork@gmail.com>
550 Invalid recipient: <ircnownetwork@gmail.com>

You should get Invalid recipient or some similar rejection message.

Here's how it appears when the mail server is improperly configured:

$ nc bangcat.coconut.ircnow.org 25 
220 bangcat.coconut.ircnow.org ESMTP OpenSMTPD
HELO example.com
250 bangcat.coconut.ircnow.org Hello example.com [38.81.163.143], pleased to meet you
MAIL FROM: <test@example.com>
250 2.0.0 Ok
RCPT TO: <test@gmail.com>
250 2.1.5 Destination address valid: Recipient ok

Notice this time it says Recipient ok even though it comes from a spoofed sender to an external domain. This will allow anyone to use your server to spam external domains with forged addresses. If you don't fix this, you will get blacklisted for spam!

How to Fix

You will want to check your smtpd.conf ruleset to make sure you never allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.

See Also