nmap has a built-in script to check for an open relay. Check it out!
While there are many online tools to check for open relays, on an internal network, often a local check is needed. For this, use nmap! nmap could also be used to quickly audit a range of hosts as well.
Example 1: open relay
Here is an example to check for an open relay on ip 192.168.1.12, which is indeed an open relay:
$ sudo nmap --script smtp-open-relay 192.168.1.12 Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 13:58 EDT Nmap scan report for example.com (192.168.1.12) Host is up (0.0052s latency). Not shown: 996 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp |_smtp-open-relay: Server is an open relay (16/16 tests) 80/tcp open http 631/tcp closed ipp Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds
Example 2: No open relay
If the host is not an open relay, the results will look similar to:
$ sudo nmap --script smtp-open-relay scottlinux.com [sudo] password for stmiller: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-15 21:15 EDT Nmap scan report for scottlinux.com (220.127.116.11) Host is up (0.086s latency). rDNS record for 18.104.22.168: li166-66.members.linode.com Not shown: 996 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp |_smtp-open-relay: Server isn't an open relay, authentication needed 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 23.31 seconds