How can I block outside mail FROM

sventechie asked:

A security firm has been testing my mail server and claims my Postfix daemon is an open relay. The evidence is as follows (valid public IP for has been changed to for security):

Relay User: postmaster Relay Domain:
Transaction Log: EHLO elk_scan_137 250-PIPELINING
250-SIZE 20480000
250 DSN
MAIL FROM: postmaster@[]
250 2.1.0 Ok
RCPT TO: postmaster@[]
250 2.1.5 Ok

I’ve already blocked mail to root, but clearly I should not block postmaster. I feel that the ability to send mail from a server to itself does not make an open relay. But how can I safely block a spoofed sender?

[N.B. I’ve scanned myself using and they say it is secure and not an open relay]

My answer:

The fact that someone can send you mail addressed to your own mail server’s IP address has absolutely no bearing on whether the mail server is an open relay.

Open relays accept mail for any and all systems outside their administrative domain and forward them onward. This clearly is not what’s demonstrated here.

Ask the security firm to share whatever it is they’ve been smoking, since clearly it’s really good stuff.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.