How to prevent custom servers from becoming open relays?

An open relay accepts mail from anyone and forwards it anywhere, which spammers exploit to send from your IP. Preventing this is critical for any mail server.

Core protections:

Require authentication: Only authenticated users can relay. Configure SASL/SMTP AUTH and require it for relay permission.

Restrict relay networks: Only specific IPs or networks can relay without authentication. In Postfix: mynetworks = 127.0.0.0/8 (localhost only)

Don't relay for everyone: Configure smtpd_relay_restrictions to reject relay attempts from unauthorized sources.

Postfix example:

• smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
• mynetworks = 127.0.0.0/8
• This requires authentication or trusted network membership to relay.

Testing:

• Use open relay testers (mxtoolbox.com/diagnostic.aspx)
• Try sending from external IP without authentication (should fail)
• Test regularly, especially after configuration changes

Monitoring:

• Watch for unexpected outbound volume
• Alert on relay attempts from unauthorized sources
• Monitor blocklists in case you're being exploited

Open relay status destroys IP reputation quickly. Even brief exposure can result in lasting blocklist presence. Take configuration seriously and verify thoroughly.