Use nmap to Test For Open Mail Relay

By | 2015/06/15

nmap has a built-in script to check for an open relay. Check it out!


While there are many online tools to check for open relays, on an internal network, often a local check is needed. For this, use nmap! nmap could also be used to quickly audit a range of hosts as well.

Example 1: open relay

Here is an example to check for an open relay on ip 192.168.1.12, which is indeed an open relay:

$ sudo nmap --script smtp-open-relay 192.168.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 13:58 EDT
Nmap scan report for example.com (192.168.1.12)
Host is up (0.0052s latency).
Not shown: 996 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
|_smtp-open-relay: Server is an open relay (16/16 tests)
80/tcp  open   http
631/tcp closed ipp

Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds

Example 2: No open relay

If the host is not an open relay, the results will look similar to:

$ sudo nmap --script smtp-open-relay scottlinux.com
[sudo] password for stmiller: 

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-15 21:15 EDT
Nmap scan report for scottlinux.com (173.230.156.66)
Host is up (0.086s latency).
rDNS record for 173.230.156.66: li166-66.members.linode.com
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
|_smtp-open-relay: Server isn't an open relay, authentication needed
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 23.31 seconds

Rock on,

2 thoughts on “Use nmap to Test For Open Mail Relay

  1. Norbert Fischer

    “Failed to issue “relaytest%nmap.scanme.org” command (SMTP RCPT TO:: failed to receive data: connection timeout)”

    This error message doesn’t tell you that you’re not an open relay. Instead the tests just failed to complete because the connection timed out. For example that could happen if fail2ban or some similar mechanism kicks in in the middle of testing your relay and bans your client. Thus you don’t get results for each tests and still don’t know if you’re operating an open relay!

    To get a meaningful result you have to whitelist the ip address from which you run nmap in advance of your testing. If all tests complete, the message you’ll get is “Server doesn’t seem to be an open relay, all tests failed”.

    Reply
    1. Scott Miller Post author

      Thanks! I’ve updated the post.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.