How to prevent custom servers from becoming open relays?

An open relay accepts mail from anyone and forwards it anywhere, which spammers exploit to send from your IP. Preventing this is critical for any mail server.

Core protections:

Require authentication: Only authenticated users can relay. Configure SASL/SMTP AUTH and require it for relay permission.

Restrict relay networks: Only specific IPs or networks can relay without authentication. In Postfix: mynetworks = 127.0.0.0/8 (localhost only)

Don't relay for everyone: Configure smtpd_relay_restrictions to reject relay attempts from unauthorized sources.

Postfix example:

smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination

mynetworks = 127.0.0.0/8

This requires authentication or trusted network membership to relay.

Testing:

Use open relay testers (mxtoolbox.com/diagnostic.aspx)

Try sending from external IP without authentication (should fail)

Test regularly, especially after configuration changes

Monitoring:

Watch for unexpected outbound volume

Alert on relay attempts from unauthorized sources

Monitor blocklists in case you're being exploited

Open relay status destroys IP reputation quickly. Even brief exposure can result in lasting blocklist presence. Take configuration seriously and verify thoroughly.