Summary:

An open relay is an SMTP server that allows a user external to the site to use the relay to send mail to another user again external to the site. Spammers are always searching for open relays to send their spam, and manual steps must be taken to close your relay, so that this "external-to-external" routing is disallowed. This technote discusses how to make sure your EMF relay is closed.

There are internet "blacklisting" sites that continuously probe the internet for open relays, and put them on their blacklist. Other internet users can then subscribe to the blacklist site, and check in real time whether an IP connecting to their own site is blacklisted as an open relay, and deny the connection. This is called Realtime Blackhole List (RBL) checking, and is a strong countermeasure to spam. If your site is being blacklisted you should take steps to close your relay.

Symptoms:

• You are setting up your EMF relay for the first time, and wish to make sure the relay is closed.
• You want to verify your relay is closed.
• Your site is being blacklisted as an open relay.
• EMF returns a 550 relaying denied error.

Detailed Information:

By default, mail relays do not care whether From and To addresses are internal to your site or external. Every relay has the capacity to be "open", allowing external-to-external relaying, and should be closed by configuring its tables properly.

Resolution:

To completely close your EMF relay:

1. In the Setup > Relays > Network Connections section, make sure that the Default entry has the Internal column blank (this is the default). This classifies all hosts out on the Internet as External.

2. In the Setup > Relays > Network Connections section, make sure that your internal mail servers' IPs are listed and categorized as Internal, and have proper IP masks.

For example, a mask of 255.255.255.255 specifies that the IP be considered exactly as is, and 255.255.255.0 specifies that the range of IP's with any value in the 4th IP octet be considered.

Examples:

Mail client ------ Mask ---------- Comments
10.1.1.1 ---- 255.255.255.255 -- specifies exactly machine 10.1.1.1
10.1.2.0 ---- 255.255.255.0 ---- specifies machines 10.1.2.0 - 10.1.2.255
10.1.3.0 ---- 255.255.255.127 -- specifies machines 10.1.3.0 + 10.1.3.128

The mask here is NOT the network subnet on which the specified host resides. It is a special mask, used by EMF as follows: a zero-bit in the mask allows the corresponding IP bit to be zero or one; a one-bit in the mask specifies the corresponding IP bit to be as written.

Be sure you are aware of your network topology, and in fact put here the IP(s) of the host(s) that is/are connecting to EMF to send outbound mail.

3. In the Setup > Relays > Routing Rules section, make sure your the Default entry has the From External Recipients column blank (meaning "deny the connection", this is the default).

You also have to be careful that for any external domains you explicitly list in the Mail Routing Rules, the From External Recipients column is blank, unless you want to allow someone on the internet external to your site to route mail to this external address. If you allow this, you are exposing yourself, and your relay is not fully closed.

4. Set the Setup > Relay > Relay Settings field Illegal Mailbox Characters (scroll down to the bottom of the page) to the following 3-character value:

@!%

This closes a vulnerability based on older internet mail address formats, like user@domain1@domain2.

If you are being blacklisted as an open relay, after you make these changes, be sure to contact the site that is blacklisting you to be removed from the blacklist. You should go to their website and follow their instructions for blacklist removal. The removal process normally takes 24-72 hrs.

Additional Information:

Please see related article Using the Realtime Blackhole List (RBL) on the right for additional information.