1

I have a scenario where I need to setup postfix with no TLS, no SMTP authentication, and open relay allowing from only one remote IP address. Emails from this remote IP may have spoofed "from" address as well.

I know, dont ask about how I got to this point...

My concern is that my server will be blacklisted in the future.

What are the best practices for managing open relay server so that it will not be blacklisted??

Thanks in advance.

WJR
  • 341
  • 1
  • 4
  • 17

5 Answers5

9

It's not an open relay if you are merely accepting any mail from a single IP address. (Open relays accept any mail from anywhere.)

In this case, simply add the IP address to mynetworks in your Postfix main.cf.

Oh, and don't send spam.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • And, if you're extra paranoid, configure netfilter to only accept connections to 25/tcp from that single IP. – EEAA Dec 27 '12 at 18:47
3

Don't make it an "open relay"... Just don't require authentication from that one IP address to relay. It's really not the same thing. I do this all the time for internal IP ranges (eg my internal Printer range doesn't need to authenticate, so they can send e-mail notifications without user accounts that would need to be constantly maintained).

Chris S
  • 77,945
  • 11
  • 124
  • 216
1

The best practice for open relay email servers is not to have one, and blacklist any you find.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
1

SMTP best practices and open relays are mutually exclusive.

RFC5068: https://www.rfc-editor.org/rfc/rfc5068

Community
  • 1
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
1

As long as it's only one remote ip, your simplest solution would be to firewall off the traffic except for that one machine.

Something like: 

-A <chain> -s <your_ip>/32 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A <chain> -m tcp -p tcp --dport 25 -j DROP

Also, like others have said, you really shouldn't be running an open relay.

Zypher
  • 37,405
  • 5
  • 53
  • 95