SMTP Pentest Guide
Back to Email Attacks

SMTP Open Relay Attack

What is an SMTP Open Relay?

An SMTP open relay is a mail server configured to allow anyone on the Internet to send email through it, not just mail destined to or originating from known users. This misconfiguration can be exploited by attackers to send spam, phishing emails, or other malicious content while hiding their true origin.

How to Test for SMTP Open Relay

Testing for SMTP open relay vulnerabilities involves attempting to send email through the target mail server to an external recipient. Here's how you can test for this vulnerability:

Manual Testing

Connect to the SMTP server using telnet or netcat:

$ telnet target-smtp-server 25
Trying 192.168.1.1...
Connected to target-smtp-server.
Escape character is '^]'.
220 target-smtp-server ESMTP Postfix

Then try to send an email through the server:

HELO pentester.local
MAIL FROM: <attacker@external-domain.com>
RCPT TO: <victim@another-domain.com>
DATA
Subject: SMTP Open Relay Test

This is a test to check for SMTP open relay vulnerability.
.
QUIT

If the server accepts the message and delivers it to the external recipient, it is vulnerable to open relay attacks.

Automated Testing

You can use tools like Metasploit's smtp_relay module:

msf > use auxiliary/scanner/smtp/smtp_relay
msf auxiliary(smtp_relay) > set RHOSTS target-smtp-server
msf auxiliary(smtp_relay) > run

Impact of SMTP Open Relay Vulnerabilities

  • Your mail server can be used to distribute spam and malicious content
  • Your IP addresses may be blacklisted by spam filters
  • Legitimate emails from your organization may be blocked
  • Increased server load and bandwidth consumption
  • Potential legal issues if your server is used for illegal activities

Mitigation Strategies

For Postfix

Edit the /etc/postfix/main.cf file and set:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

For Exchange Server

Configure receive connectors to only accept mail from authenticated users or specific IP ranges:

Set-ReceiveConnector "Connector Name" -PermissionGroups "ExchangeUsers"

General Best Practices

  • Implement proper authentication for SMTP servers
  • Use TLS for SMTP connections
  • Regularly audit mail server configurations
  • Implement rate limiting for email sending
  • Monitor mail server logs for suspicious activity