Linux SMTP relay – How we protect your mail servers from being open relays

Protecting mail servers from being used as Linux SMTP open relays, is a major security task we perform as a part of our Dedicated Tech Support services for web hosting providers.

An open mail relay is an SMTP server that allows any host to send mails through it. If it is open relay, users can send mails through that Linux SMTP relay server without authenticating.

Today we’ll see how we resolve SMTP relay errors in our customers’ mail servers.

Linux SMTP relay – Why should you protect your mail server from open relay?

While some customers allow no open relays or relaying mails only from trusted hosts, majority of the mail servers we configure are secured to prevent all such open relays.

A mail server that acts as an SMTP relay can get easily spammed by attackers and end up being blacklisted in spam databases. This can lead to delay or failure in email delivery from this mail server.

No destination server would accept mails from a spamming server that is blacklisted. To protect our customers’ servers from getting blacklisted, we prevent any open relay through these servers.

We’ve seen cases where a third party application rule set messed up the server settings and made it vulnerable, causing it to function as an open relay. With our timely intervention, we’ve been able to detect and fix such issues promptly.

[ Use your time to build your business. We’ll take care of your customers. Hire Our Hosting Support Specialists at $9.99/hr. ]

What causes ‘Relay access denied’ error?

A secure mail server blocks connection attempts from all unauthorized email user accounts and allow only authenticated users to send mail through it.

If any host tries to relay mails through the mail server without authenticating, it would be rejected by the secure mail server with the error message ‘Relay access denied’.

However, this error can also happen in cases where valid email users try to send mails. If the mail server is unable to confirm whether the domain owner is authorized to send emails through it, the mail would be rejected.

In cPanel Exim email servers, a valid sender means the user who authenticates to the mail server using the mail account username and password, before trying to send mails.

Valid users face ‘Relay access denied’ error while trying to send mails, due to many reasons. Some of the reasons we’ve seen are:

1. User not authenticated properly – user name or password wrong.
2. Wrong mail server given in the mail client configuration.
3. SMTP port blocked or wrong port configured.
4. Incorrect MX record settings or DNS resolution issues.
5. Email routing issues or other errors in the mail server.
6. Any custom 3rd party webmail or spam filter settings.
7. Recipient mail account corruption.
8. Changes of authenticated IP on users’ mobile devices.
9. When an external sender fails your server’s spam check.
10. Improper configuration of mail server, such as relaying and recipient settings.

[ Running a hosting business doesn’t have to be hard, or costly. Get world class Hosting Support Specialists at $9.99/hour (bulk discounts available) ]

How to fix Linux SMTP relay and related errors

People rely on mail services for their ongoing business communication. So, securing the mail servers is a crucial task our Outsourced support technicians perform, to prevent trojans, virus, bots, phishing and other malware from disrupting its service.

At Bobcares, we implement these security measures to secure our customers’ SMTP server:

• Linux SMTP relay – To prevent open relays, we allow only valid users to send mail through the server. This is implemented by configuring SMTP authentication in the mail servers.
• Prevent outbound spamming – Hacked web applications are often used to send out spam from the mail server. We prevent this by disabling the default web user from sending out mails.
• Enable detailed logging – With our extended logging mechanism, we are able to track and detect all abuses in a timely manner.
• Rate limit mail/connections per user – Limiting the number of mails and connections that can be attempted by each user, depending on their requirement, helps us to control the outgoing mails.
• Configure alternate SMTP port – Making the mail server listen to an alternate SMTP port, such as “26” or “587”, other than the default port “25”, we block attempts of spam relay.
• Enable TLS on all ports – Encrypting the mail service using TLS helps us to secure transmitted data and to prevent data sniffing.
• Scan outgoing messages for spam and virus – To protect server IP reputation by preventing spam from going out, we implement outbound mail scanning.
• Block mails from blacklisted IPs – To prevent inbound spamming, we use Realtime Block Lists (RBLs) to block blacklisted mail servers from sending mail to our server.
• Configure anti-spam DNS records – Anti-spam DNS records like SPF, RDNS, DKIM keys, etc. are configured for domains in our mail server to ensure that mails from our server are not marked as spam.
• Run the SMTP server as unprivileged user – To prevent the entire server from being hacked due to a vulnerability in the mail server, we run the mail server as an unprivileged user.
• Apply security patches and updates – As a part of our security management, we apply mail sever security patches and updates, without incurring any time delay.
• 24/7 monitoring – Our expert technicians monitor the email logs for any anomalies and fix them proactively, before users face issue with emails.

Examining the mail logs, testing of email routing and checking the mail server settings are some methods we use to identify and fix the issue. If you’d like to know how to fix your mail server, we’d be happy to talk to you.

We’ve been able to prevent server incidents by up to 15% by using our proactive server checks (click here to see how we improve web hosting support).