Open Relays

From Mac OS X Server FAQ

Contents 1 Open Relays 1.1 Testing Your Server 1.2 Securing Your Server 1.2.1 Restrict by IP 1.2.2 Restrict with Authentication

Open Relays

An open relay is an SMTP server which does not impose restrictions upon who may connect and send messages. Such a server offers a prime target for those who would send unsolicited bulk email (a.k.a. "Spam"). When a server is an open relay, it hurts not only those running the server (through bandwidth costs, server resource waste), but the Internet at large (in the form of more spam). If an unsecured SMTP server becomes a boon for spammers, it's likely the server will end up on a Realtime Blackhole List (RBLs), with the result that legitimate mail from the server is rejected.

Testing Your Server

In order to help system administrators secure their servers, the abuse.net website has a mail relay test available. To use this tool, simply enter the address for your mail server (either the FQDN or IP) and click the Test for relay button. Optionally, you may enter some additional information for a more rigorous test.

The relay test will attempt to send several messages through your mail server, reporting the results with each step. At the end of the test, you will be told whether it is likely that your mail server needs to be secured.

Securing Your Server

While the necessity of securing your mail server may be apparent, it might be difficult to figure out how to get started. Luckily, Mac OS X Server includes a GUI tool for specifying which hosts should be allowed to relay. This tool is the Mail Settings section of ServerAdmin (<code>/Applications/Server</code>). Before making any changes to your configuration, however, it would be beneficial to become familiar with how the Postfix mail server handles inbound connections.

While this is greatly simplified, the basic process is that a remote mail client (or even another mail server) connects to your SMTP server (i.e. Postfix). Once it has established the session and greeted your mail server, the remote client will attempt to deliver a new message. Postfix first examines the message's recipient to see if it's destined for a local user. If it is, the message is accepted and then delivered to one of your users.

If the message is not intended for one of your users, Postfix will then check if the client machine is on the list of hosts and networks that are allowed to relay email. Should the client machine not be on the list, Postfix will then allow the client to authenticate using a username and password combination. If the client is still not authorized, your mail server should refuse the message and continue on its merry way.

However, if your mail server is not properly configured, it will accept all messages, regardless of sender. When this happens, anyone can send a message to anyone else through your mail server; wasting its bandwidth, memory, and processor. In order to prevent this from happening, you should configure your mail server to authenticate valid clients by either IP or SMTP authentication. Doing so is quite easy with Mac OS X Server's Server Admin.

Restrict by IP

To specify which clients are allowed to relay through your mail server by IP address, first open ServerAdmin and expand the services for the desired server. Next, select the Mail service and then its Settings. Then, switch to the Filters settings tab. Here, you will see a checkbox labeled "Accept SMTP relays only from these hosts and networks". Enable it and then use the + symbol to add individual hosts and networks.

You should specify each host by its IP address. To specify a network, enter its network address and subnet mask in [CIDR notation]. For example, to allow the network 192.168.5.0 with subnet mask 255.255.255.0, you would add 192.168.5.0/24.

Note: Do NOT allow the IP address of your NAT router if you are using port forwarding to forward SMTP connections to your server. If you do, your mail server will accept all mail connections originating from the router, which would be pretty much everything in a NAT situation.

Restrict with Authentication

On the Advanced tab of Mail Settings you will find checkboxes for different SMTP Authentication protocols. To enable a specific protocol, enable its checkbox. I have had the best success with Login and PLAIN authentication. These are compatible with Thunderbird, Outlook, Outlook Express, and Apple's Mail. However, since they are plain-text passwords, I recommend using TLS/SSL to encrypt the SMTP traffic for the paranoid.

Note: Using SMTP authentication requires you to make changes to your client machines as well. For example, you must modify the SMTP server settings in Apple Mail so that Password authentication is used. The SMTP service is tied to the same directory services as everything else, so you need to specify the same username and password that you would for checking mail or otherwise accessing the server. Each mail client handles this a little differently, but it's usually considered an "Advanced" option and carries a name like "My outgoing mail server requires authentication" or "SMTP Server Settings".

If you restrict with authentication and know that all users will be using that method for sending mail you can leave the IP restriction set to 127.0.0.1 and not add any other IPs.