An open relay is an SMTP server that accepts mail from any sender and forwards it to any recipient, without requiring authentication. That means anyone on the internet can connect to it on port 25 and send email through it, usually spam, under your server's IP address and reputation. Open relays were normal in the 1990s and are now a serious misconfiguration: they get exploited within hours, blacklisted on Spamhaus and Barracuda, and often suspended by the hosting provider. If your bulk mail server is an open relay, close it before you send anything.
I've inherited misconfigured mail servers more than once. An open relay is the fastest way to destroy a sending IP, so here's exactly what it is and how to shut one.
What "relay" actually means
Relaying is just an SMTP server accepting a message and passing it on toward its destination. That's normal and necessary. The question is who the server relays for.
| Term | Relays for | Authentication | Safe? |
|---|---|---|---|
| Open relay | Anyone, anywhere | None | No, exploitable |
| Authenticated relay (smart host) | Logged-in clients | SASL / SMTP AUTH | Yes |
| Trusted-network relay | Specific IP ranges | IP allowlist (mynetworks) | Yes, if scoped tight |
| Inbound MX only | Your own domains | N/A (accepts, doesn't forward) | Yes |
A healthy outbound server relays only for clients that authenticate or come from a trusted IP. An open relay skips that check entirely.
Why an open relay is dangerous
Three things happen, usually in this order:
- Spammers find it. Bots scan the whole IPv4 space on port 25 constantly. A fresh open relay typically gets discovered and abused within hours, not days.
- Your IP gets blacklisted. Once spam flows out under your IP, Spamhaus, SpamCop, and Barracuda list it. Inbox placement for your legitimate mail collapses. Delisting takes days and sometimes paid escalation.
- Your provider suspends you. Most VPS and cloud providers treat outbound spam as a terms-of-service violation and null-route or terminate the server, sometimes with no warning.
You also eat the bandwidth and queue load of whatever volume the spammers push, which can be millions of messages a day.
Open relay vs related risks
People confuse open relays with two other problems:
| Problem | What it is | Fix |
|---|---|---|
| Open relay | Forwards mail for any external sender to any recipient | Restrict relay to authenticated/trusted clients |
| Open proxy | Forwards any TCP traffic, including SMTP | Lock down proxy software, firewall |
| Backscatter | Sends bounce messages to forged senders | Reject invalid recipients at SMTP time, not after |
All three get you blacklisted. The open relay is the most common because it's a one-line config mistake.
How to check if you have one
- Run your hostname or IP through MXToolbox's open relay test or a similar tool.
- From an outside IP,
telnet your-server 25, then tryMAIL FROM:<[email protected]>andRCPT TO:<[email protected]>. A correctly closed server replies554 Relay access denied. An open relay replies250 OK. - Watch your mail queue. A sudden flood of mail to domains you don't own is the smoking gun.
How to close it
On Postfix, the core settings:
mynetworks= only your trusted IPs (loopback plus your app servers), never0.0.0.0/0.smtpd_sasl_auth_enable = yesso remote clients must log in.smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination.
Reload and retest from outside. On Postal, Exim, or a commercial relay, the equivalent is "require authentication for outbound" plus a scoped trusted-IP list. If you're standing up a server from scratch, our guide on how to set up an SMTP server for bulk email bakes these restrictions in from the start, and Postal vs Postfix covers which stack to pick.
Closing the relay is step one. After that comes IP warm-up, proper SPF/DKIM/DMARC, and a dedicated IP so your reputation is yours alone. Skip those and even a locked-down server lands in spam.
How BulkEmailSetup helps
A managed dedicated SMTP server from BulkEmailSetup ships closed by default: authenticated relay only, scoped trusted networks, plus blacklist monitoring so an accidental misconfiguration or compromise gets caught before your IP burns. You get your own warmed dedicated IP at a flat monthly rate, no relay-hardening homework, no 2 a.m. delisting. At low volume, cheap pay-per-email options like Amazon SES still win on price; at sustained volume the flat fee is the better deal, as we break down in is managed SMTP worth it. See pricing for current plans.
Frequently asked questions
What is an open relay in simple terms?
An open relay is an SMTP server that will accept email from any sender and deliver it to any recipient, without requiring authentication. That means strangers on the internet can use your server to send mail, usually spam, under your IP and domain.
How do I check if my server is an open relay?
Use an online open relay tester like MXToolbox, or telnet into your server on port 25 from an outside IP and try to send mail from an external address to another external address. If the server accepts it (250 OK) instead of rejecting it (relay denied), you have an open relay.
Is an open relay illegal?
Running one is not usually illegal by itself, but it almost always leads to your IP being abused for spam, which can violate your hosting provider's terms of service and anti-spam laws like CAN-SPAM when the mail goes out. The practical result is blacklisting and a suspended server.
What is the difference between an open relay and a smart host?
A smart host is an authenticated relay: it forwards mail only for clients that log in or come from trusted IPs. An open relay forwards for anyone with no checks. Both relay mail, but only the open relay is dangerous.
How do I close an open relay in Postfix?
Set mynetworks to only your trusted IPs, require SASL authentication for outside clients via smtpd_sasl_auth_enable, and set smtpd_relay_restrictions to permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination. Reload Postfix and retest.
