If you are responsible for a Microsoft Exchange Server that is connected to the internet then you need to know what an open relay is.
In short, an open relay is an email server that is configured to accept mail from any sender and deliver it to any recipient. This is an undesirable configuration because it can be exploited very easily by spammers and other malicious users.
A properly configured Exchange server will accept mail sent from outside senders to recipients that are “known” or “local” to that Exchange server. In Exchange Server 2007/2010 this is configured in the Accepted Domains settings for the organization.
In other words, it is normal and expected that senders outside the organization can send email to recipients inside the organization. That email should be accepted and delivered by the Exchange server (assuming the recipient actually exists).
This may be slightly different in the case of shared SMTP namespaces and External Relay domains, but for the sake of this article we’ll focus on this simple example.
In comparison, a server that is an open relay would allow a sender from outside of the organization to send (or “relay”) emails to recipients who are also outside of the organization.
Clearly this is bad because a malicious person could send spam, phishing emails or malware via your Exchange server.
The most obvious risk here is that your Exchange server is used by spammers to exploit others. Another concern is how much of your network and server resources this type of exploitation can consume.
But a more serious concern is that it can lead to other mail systems blocking mail that is sent from your server. This can happen in several ways, such as your server being listed on a blacklist such as Spamhaus, or other email systems performing an open relay test on your server and blocking it when it fails the test.
In their default configuration Exchange Server 2007/2010 are not open relays. However through operator error they could become an open relay. If you have any concerns about your Exchange server possibly being an open relay you can test it by going to Abuse.net and entering your Exchange server’s public IP address or DNS name (ie your MX record) and running the test.
I run this test multiple times on any Exchange server deployment that I’m involved in, or any time a change is made to internet-facing servers. If you’ve never run an open relay test on your own server this may be worth considering.