Open-relay email server? What is that? In the last few days, I was involved in the troubleshooting of an email server of an organization. I was doing this remotely because I am still in Australia, and they are an 8-hours flight from here, located in a different country.
So the point is, their email server is having severe issues. The network traffic rose suddenly, got a massive amount of email sending or receiving (very unusual), the amount is so huge, which causing legitimate users having a hard time accessing their email service. Well, after checking here and there, spending an amount of time troubleshooting, tadaaa….. it turns out that the email server is an open relay.
What is Open relay?
Open relay means a server allows an external party (outside the defined network) to send email through the server, and the server becomes like a repeater that relays/forward an email from outside to another email server. That is precisely how a relay works, right? It receives signals/messages and forwards them to other parties. As simple as that.
To some extent, it can be dangerous. The external party can abuse this function to send emails wherever they want, and this can lead to a spam problem. They can do this because the email server allows them to do that.
What is the consequence?
it is bad (of course!!):
- Server performance slows down because it must process huge requests generated by third parties (spammers). I found they send hundreds of thousand emails via the server. The CPU usage is very high. And the one that makes it dull is the high IO wait (this one had a nasty effect on your server).
- Does the reboot help? Nah. Well, it helps just in the beginning, only a few seconds after the reboot is done. A few moments later, the server slows again because spammers forward their messages again and again.
- The situation worsens if the server’s IP address is marked as the one that sending spam messages, and then blacklisted by other email servers. If your IP address has appeared there, you get many complaints from users because other email servers (google, yahoo, Hotmail, etc.) reject any emails originating from your server.
How the server becomes an open relay?
so the story was, the server admin allows people from internal network to send emails via the server. so the internal network becomes its trusted network where the checking process is less. later, their users wants to send email from the internet as well, they don’t want to go to office just to send an email. therefore the admin put all networks become trusted network. and tadaa… the email server becomes an open relay email server.
spammers always do probing service on every IP address in the world and found that this server is an open relay. well technically, its not spammer’s fault right? the admin himself allows all people to forward email through his email server
What a scary story, how do we check if our email is an open relay or not?
Relax, there are many tools out there to check, for example, this, this, and many others. Make sure yours is not an open relay. Believe me, when your IP addresses have appeared on the blacklist, your life will be miserable. It takes time to take the IP address out from the blacklist.
How is the solution?
well, some ideas:
- Define the trusted hosts carefully. Many default setting of email server only allows localhost as their trusted network.
- You can use a relay host (smart host).
- Use an authentication mechanism. So before a user sends an email, they must submit a username and password first, if authentication is successful, then the user can send email.
Thank you for reading. This article is part of Linux System administration course.
if you are interested, please feel free to contact us here (whatsapp number available).
picture from rickconner.net