Use nmap to Test For Open Mail Relay

By | 2015/06/15

nmap has a built-in script to check for an open relay. Check it out!


While there are many online tools to check for open relays, on an internal network, often a local check is needed. For this, use nmap! nmap could also be used to quickly audit a range of hosts as well.

Example 1: open relay

Here is an example to check for an open relay on ip 192.168.1.12, which is indeed an open relay:

$ sudo nmap --script smtp-open-relay 192.168.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 13:58 EDT
Nmap scan report for example.com (192.168.1.12)
Host is up (0.0052s latency).
Not shown: 996 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
|_smtp-open-relay: Server is an open relay (16/16 tests)
80/tcp  open   http
631/tcp closed ipp

Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds

Example 2: No open relay

If the host is not an open relay, the results will look similar to:

$ sudo nmap --script smtp-open-relay scottlinux.com
[sudo] password for stmiller: 

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-15 21:15 EDT
Nmap scan report for scottlinux.com (173.230.156.66)
Host is up (0.086s latency).
rDNS record for 173.230.156.66: li166-66.members.linode.com
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
|_smtp-open-relay: Server isn't an open relay, authentication needed
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 23.31 seconds

Rock on,