version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44 author=mkf charset=UTF-8 csum= ctime=1622801276 host=2.178.177.209 name=Opensmtpd.Openrelay rev=4 targets=Openbsd.Dnsbl,Openbsd.Dkimproxy,Netcat.SMTP,Openbsd.Opensmtpd text=(:title Beware Open Relays!:)%0a%0aAn open mail relay allows any Internet user to send or receive messages using that server to hide the sender. Sometimes it can be used to provide privacy and bypass censorship, but often times it is unintentional. Your server could be abused to send spam because of a misconfiguration of your server.%0a%0aChances are, if you're reading this, it's because your mail server has been banned for being an open mail relay.%0a%0a!! Why prevent open relays?%0a%0a# It could be used to send malware (viruses, trojans, or worms)%0a# It can be used to send spam%0a# Your IP will get blacklisted and put on a [[openbsd/dnsbl|DNS blacklist]]%0a%0a!! Sample Config%0a%0aHere is a sample '''misconfiguration''' (do '''NOT''' use these configs):%0a%0a[@%0amatch from any for any relay%0a@]%0a%0aIf you're using [[openbsd/dkimproxy|dkimproxy]]:%0a%0a[@%0amatch from any for any action "relay_dkim"%0a@]%0a%0aDon't use either of the above configurations, or your mail server will be used by spammers and crackers to flood the internet with trash mail.%0a%0a!! Testing for Open Mail Relays%0a%0aHere's how we test if a mail server is an open relay using [[netcat/SMTP|netcat]]:%0a%0a[@%0a$ nc example.com 25 %0a220 example.com ESMTP OpenSMTPD%0aHELO fakedomain.com%0a250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you%0aMAIL FROM: %3ccriminal@fakedomain.com>%0a250 2.0.0 Ok%0aRCPT TO: %3cvictim@otherplace.com>%0a550 Invalid recipient: %3cvictim@otherplace.com>%0a@]%0a%0aIn this example, you are pretending to send email from criminal@fakedomain.com to%0avictim@otherplace.com using example.com as a relay.%0a%0aYou should get @@Invalid recipient@@ or some similar rejection message.%0aIf you do not, example.com is likely running an open mail relay.%0a%0aHere's how it appears when the mail server is improperly configured:%0a%0a[@%0a$ nc example.com 25 %0a220 example.com ESMTP OpenSMTPD%0aHELO fakedomain.com%0a250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you%0aMAIL FROM: %3ccriminal@fakedomain.com>%0a250 2.0.0 Ok%0aRCPT TO: %3cvictim@otherplace.com>%0a250 2.1.5 Destination address valid: Recipient ok%0a@]%0a%0aNotice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use '''your''' server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a%0a!! How to Fix%0a%0aYou will want to check your [[openbsd/opensmtpd|smtpd.conf]] ruleset to make sure you '''never''' allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.%0a%0a!! See Also%0a%0a!! Open Mail Relay%0a time=1636627059 title=Beware Open Relays! author:1636627059=mkf diff:1636627059:1629668600:=63c63%0a%3c Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use '''your''' server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a---%0a> Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use **your** server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a host:1636627059=2.178.177.209 author:1629668600=mkf diff:1629668600:1622810316:=1,2c1,2%0a%3c (:title Beware Open Relays!:)%0a%3c %0a---%0a> (:title Beware Open Relays!!:)%0a> %0a63c63%0a%3c Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use **your** server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a---%0a> Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use @@your@@ server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a host:1629668600=198.251.81.133 author:1622810316=jrmu diff:1622810316:1622801276:=31,32c31,32%0a%3c Here's how we test if a mail server is an open relay using [[netcat/SMTP|netcat]]:%0a%3c %0a---%0a> Here's how we test sending a letter using [[openbsd/netcat|netcat]]:%0a> %0a34,41c34,35%0a%3c $ nc example.com 25 %0a%3c 220 example.com ESMTP OpenSMTPD%0a%3c HELO fakedomain.com%0a%3c 250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you%0a%3c MAIL FROM: %3ccriminal@fakedomain.com>%0a%3c 250 2.0.0 Ok%0a%3c RCPT TO: %3cvictim@otherplace.com>%0a%3c 550 Invalid recipient: %3cvictim@otherplace.com>%0a---%0a> $ nc ircnow.org 25 %0a> 220 ircnow.org ESMTP OpenSMTPD%0a44,51c38,39%0a%3c In this example, you are pretending to send email from criminal@fakedomain.com to%0a%3c victim@otherplace.com using example.com as a relay.%0a%3c %0a%3c You should get @@Invalid recipient@@ or some similar rejection message.%0a%3c If you do not, example.com is likely running an open mail relay.%0a%3c %0a%3c Here's how it appears when the mail server is improperly configured:%0a%3c %0a---%0a> Next, we type HELO followed by our sending domain:%0a> %0a53,60c41,42%0a%3c $ nc example.com 25 %0a%3c 220 example.com ESMTP OpenSMTPD%0a%3c HELO fakedomain.com%0a%3c 250 example.com Hello fakedomain.com [38.81.163.143], pleased to meet you%0a%3c MAIL FROM: %3ccriminal@fakedomain.com>%0a%3c 250 2.0.0 Ok%0a%3c RCPT TO: %3cvictim@otherplace.com>%0a%3c 250 2.1.5 Destination address valid: Recipient ok%0a---%0a> HELO example.com%0a> 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a63,70c45,99%0a%3c Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use @@your@@ server to spam another mail server with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a%3c %0a%3c !! How to Fix%0a%3c %0a%3c You will want to check your [[openbsd/opensmtpd|smtpd.conf]] ruleset to make sure you '''never''' allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.%0a%3c %0a%3c !! See Also%0a%3c %0a---%0a> Afterwards, we type our sending mail address:%0a> %0a> [@%0a> MAIL FROM: %3ctest@example.com>%0a> 250 2.0.0 Ok%0a> @]%0a> %0a> And the destination mail address:%0a> %0a> [@%0a> RCPT TO: %3cjrmu@ircnow.org>%0a> 250 2.1.5 Destination address valid: Recipient ok%0a> @]%0a> %0a> Then we type DATA followed by our email:%0a> %0a> [@%0a> DATA%0a> 354 Enter mail, end with "." on a line by itself%0a> Subject: Alpha Bravo Charlie Delta%0a> %0a> Echo Foxtrot Golf Hotel%0a> @]%0a> %0a> We then type . to end the email, then QUIT:%0a> %0a> [@%0a> .%0a> 250 2.0.0 e57f9a36 Message accepted for delivery%0a> QUIT%0a> 221 2.0.0 Bye%0a> @]%0a> %0a> Here's the complete process:%0a> %0a> [@%0a> $ nc ircnow.org 25 %0a> 220 ircnow.org ESMTP OpenSMTPD%0a> HELO example.com%0a> 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a> MAIL FROM: %3ctest@example.com>%0a> 250 2.0.0 Ok%0a> RCPT TO: %3cjrmu@ircnow.org>%0a> 250 2.1.5 Destination address valid: Recipient ok%0a> DATA%0a> 354 Enter mail, end with "." on a line by itself%0a> Subject: Alpha Bravo Charlie Delta%0a> %0a> Echo Foxtrot Golf Hotel%0a> .%0a> 250 2.0.0 e57f9a36 Message accepted for delivery%0a> QUIT%0a> 221 2.0.0 Bye%0a> @]%0a> %0a71a101,136%0a> %0a> Here's how a proper mail server (not an open relay) will do when you send from a spoofed domain to another external domain:%0a> %0a> [@%0a> $ nc ircnow.org 25 %0a> 220 ircnow.org ESMTP OpenSMTPD%0a> HELO example.com%0a> 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a> MAIL FROM: %3ctest@example.com>%0a> 250 2.0.0 Ok%0a> RCPT TO: %3circnownetwork@gmail.com>%0a> 550 Invalid recipient: %3circnownetwork@gmail.com>%0a> @]%0a> %0a> You should get @@Invalid recipient@@ or some similar rejection message.%0a> %0a> Here's how it appears when the mail server is improperly configured:%0a> %0a> [@%0a> $ nc bangcat.coconut.ircnow.org 25 %0a> 220 bangcat.coconut.ircnow.org ESMTP OpenSMTPD%0a> HELO example.com%0a> 250 bangcat.coconut.ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a> MAIL FROM: %3ctest@example.com>%0a> 250 2.0.0 Ok%0a> RCPT TO: %3ctest@gmail.com>%0a> 250 2.1.5 Destination address valid: Recipient ok%0a> @]%0a> %0a> Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use @@your@@ server to spam external domains with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a> %0a> !! How to Fix%0a> %0a> You will want to check your [[openbsd/opensmtpd|smtpd.conf]] ruleset to make sure you '''never''' allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.%0a> %0a> !! See Also%0a host:1622810316=38.81.163.143 author:1622801276=jrmu diff:1622801276:1622801276:=1,136d0%0a%3c (:title Beware Open Relays!!:)%0a%3c %0a%3c An open mail relay allows any Internet user to send or receive messages using that server to hide the sender. Sometimes it can be used to provide privacy and bypass censorship, but often times it is unintentional. Your server could be abused to send spam because of a misconfiguration of your server.%0a%3c %0a%3c Chances are, if you're reading this, it's because your mail server has been banned for being an open mail relay.%0a%3c %0a%3c !! Why prevent open relays?%0a%3c %0a%3c # It could be used to send malware (viruses, trojans, or worms)%0a%3c # It can be used to send spam%0a%3c # Your IP will get blacklisted and put on a [[openbsd/dnsbl|DNS blacklist]]%0a%3c %0a%3c !! Sample Config%0a%3c %0a%3c Here is a sample '''misconfiguration''' (do '''NOT''' use these configs):%0a%3c %0a%3c [@%0a%3c match from any for any relay%0a%3c @]%0a%3c %0a%3c If you're using [[openbsd/dkimproxy|dkimproxy]]:%0a%3c %0a%3c [@%0a%3c match from any for any action "relay_dkim"%0a%3c @]%0a%3c %0a%3c Don't use either of the above configurations, or your mail server will be used by spammers and crackers to flood the internet with trash mail.%0a%3c %0a%3c !! Testing for Open Mail Relays%0a%3c %0a%3c Here's how we test sending a letter using [[openbsd/netcat|netcat]]:%0a%3c %0a%3c [@%0a%3c $ nc ircnow.org 25 %0a%3c 220 ircnow.org ESMTP OpenSMTPD%0a%3c @]%0a%3c %0a%3c Next, we type HELO followed by our sending domain:%0a%3c %0a%3c [@%0a%3c HELO example.com%0a%3c 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a%3c @]%0a%3c %0a%3c Afterwards, we type our sending mail address:%0a%3c %0a%3c [@%0a%3c MAIL FROM: %3ctest@example.com>%0a%3c 250 2.0.0 Ok%0a%3c @]%0a%3c %0a%3c And the destination mail address:%0a%3c %0a%3c [@%0a%3c RCPT TO: %3cjrmu@ircnow.org>%0a%3c 250 2.1.5 Destination address valid: Recipient ok%0a%3c @]%0a%3c %0a%3c Then we type DATA followed by our email:%0a%3c %0a%3c [@%0a%3c DATA%0a%3c 354 Enter mail, end with "." on a line by itself%0a%3c Subject: Alpha Bravo Charlie Delta%0a%3c %0a%3c Echo Foxtrot Golf Hotel%0a%3c @]%0a%3c %0a%3c We then type . to end the email, then QUIT:%0a%3c %0a%3c [@%0a%3c .%0a%3c 250 2.0.0 e57f9a36 Message accepted for delivery%0a%3c QUIT%0a%3c 221 2.0.0 Bye%0a%3c @]%0a%3c %0a%3c Here's the complete process:%0a%3c %0a%3c [@%0a%3c $ nc ircnow.org 25 %0a%3c 220 ircnow.org ESMTP OpenSMTPD%0a%3c HELO example.com%0a%3c 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a%3c MAIL FROM: %3ctest@example.com>%0a%3c 250 2.0.0 Ok%0a%3c RCPT TO: %3cjrmu@ircnow.org>%0a%3c 250 2.1.5 Destination address valid: Recipient ok%0a%3c DATA%0a%3c 354 Enter mail, end with "." on a line by itself%0a%3c Subject: Alpha Bravo Charlie Delta%0a%3c %0a%3c Echo Foxtrot Golf Hotel%0a%3c .%0a%3c 250 2.0.0 e57f9a36 Message accepted for delivery%0a%3c QUIT%0a%3c 221 2.0.0 Bye%0a%3c @]%0a%3c %0a%3c !! Open Mail Relay%0a%3c %0a%3c Here's how a proper mail server (not an open relay) will do when you send from a spoofed domain to another external domain:%0a%3c %0a%3c [@%0a%3c $ nc ircnow.org 25 %0a%3c 220 ircnow.org ESMTP OpenSMTPD%0a%3c HELO example.com%0a%3c 250 ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a%3c MAIL FROM: %3ctest@example.com>%0a%3c 250 2.0.0 Ok%0a%3c RCPT TO: %3circnownetwork@gmail.com>%0a%3c 550 Invalid recipient: %3circnownetwork@gmail.com>%0a%3c @]%0a%3c %0a%3c You should get @@Invalid recipient@@ or some similar rejection message.%0a%3c %0a%3c Here's how it appears when the mail server is improperly configured:%0a%3c %0a%3c [@%0a%3c $ nc bangcat.coconut.ircnow.org 25 %0a%3c 220 bangcat.coconut.ircnow.org ESMTP OpenSMTPD%0a%3c HELO example.com%0a%3c 250 bangcat.coconut.ircnow.org Hello example.com [38.81.163.143], pleased to meet you%0a%3c MAIL FROM: %3ctest@example.com>%0a%3c 250 2.0.0 Ok%0a%3c RCPT TO: %3ctest@gmail.com>%0a%3c 250 2.1.5 Destination address valid: Recipient ok%0a%3c @]%0a%3c %0a%3c Notice this time it says @@Recipient ok@@ even though it comes from a spoofed sender to an external domain. This will allow anyone to use @@your@@ server to spam external domains with forged addresses. If you don't fix this, you will get blacklisted for spam!%0a%3c %0a%3c !! How to Fix%0a%3c %0a%3c You will want to check your [[openbsd/opensmtpd|smtpd.conf]] ruleset to make sure you '''never''' allow any domain to send to any domain. You should only allow local hosts to send to external domains, and for any host to send to your domains.%0a%3c %0a%3c !! See Also%0a host:1622801276=38.81.163.143