How can I block outside mail FROM [email protected]?

sventechie asked:

A security firm has been testing my mail server and claims my Postfix daemon is an open relay. The evidence is as follows (valid public IP for mail.mydomain.com has been changed to 10.1.1.1 for security):

Relay User: postmaster Relay Domain: 10.1.1.1
Transaction Log: EHLO elk_scan_137 250-mail.mydomain.com 250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME
250 DSN
MAIL FROM: [email protected][10.1.1.1]
250 2.1.0 Ok
RCPT TO: [email protected][10.1.1.1]
250 2.1.5 Ok

I’ve already blocked mail to root, but clearly I should not block postmaster. I feel that the ability to send mail from a server to itself does not make an open relay. But how can I safely block a spoofed [email protected] sender?

[N.B. I’ve scanned myself using mxtoolbox.com and they say it is secure and not an open relay]

My answer:


The fact that someone can send you mail addressed to your own mail server’s IP address has absolutely no bearing on whether the mail server is an open relay.

Open relays accept mail for any and all systems outside their administrative domain and forward them onward. This clearly is not what’s demonstrated here.

Ask the security firm to share whatever it is they’ve been smoking, since clearly it’s really good stuff.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.