APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Misconfigured router causes open SMTP relay

Some material is very old and may be incorrect today

© December 2015 Anthony Lawrence


My customer was not happy. He had been shutdown by his ISP for spamming - apparently his internal mail server was guilty of sending some tens of thousands of messages in a very short period of time.

My first suspicion in such cases is always an infected internal machine. However, the customer immediately said that the source was external - somebody was using his mail server as a relay. I therefore asked him to confirm that his relay settings were correct.

Kerio Connect relay settings

Those settings were correct, but perhaps someone had guessed passwords? I asked him if he had users with silly passwords like "mary123". He confessed that he did. I asked him to turn on "User Authentication" in the Debug Log.

Turn on extended debugging by right clicking in the Debug log and choosing "Messages" as shown here.

Kerio Connect debug settings

Kerio Connect debug authentication settings

After doing that, the Debug log would show external authentication that would appear like this:

[08/Mar/2012 15:03:33][31012] {auth} Basic: second step, user
tony&aplawrence.com authenticated

However, no external authentication was seen. I therefore returned to my original thought of an infected internal machine, so I asked how he knew that these emails were originating from outside of his network.

"Well, I can see it in the Mail log, of course", he replied.

Indeed, the standard Mail log entry will show the sending host. For example, here's an entry from my Kerio mail server logs.

[10/Mar/2012 08:14:14] Recv: Queue-ID: 4f5b53a5-0000349a, Service: SMTP,
From: <noreply&nw.nwsltechwebresources.com>, To: <tony&aplawrence.com>,
Size: 36880, Sender-Host:

The mail server responsible for that message is at

I asked where the spammer was coming from, and was surprised when my customer said that he didn't know. I pressed harder and was told that all he was seeing in the logs was the internal ip address of the router. So, rather than showing an address like, the logs were showing the Sender-Host as (the internal IP of the router).

That won't work

I have seen misconfigured and broken routers configured to present an internal IP address instead of an external address before, but I was surprised to hear that from this particular customer as he's been running this mail server for some time. The answer turned out to be that he had just installed a new ZyXEL router the week before. It had taken the spammers only a few days to find that hole, but they certainly had found it!

I don't know whether the ZyXEL does that by default or if someone misconfigured it, but that causes all sorts of problems for a mail server. Blacklists can't work without knowing the source IP and either can limits based on IP addresses or DNS lookups.

Kerio Connect IP based limits

That would be bad enough, but this also means that by default, anything coming from outside would be seen as though it was coming from the local lan. Clients connecting from the local lan are always allowed to relay, so effectively the router configuration turned their mail server into an open relay!

Temporary Fix

Kerio Connect IP group

As a quick stopgap, I had him change the definition of his local lan to exclude the router's internal IP. That would at least stop the open relay hole, though he will still need to correct the router configuration to send through the connecting host's public IP to be able to use IP and DNS based spam controls.

It's probably not a bad idea to leave the "Local Clients" definition as excluding the router. In fact, where possible, that definition should also exclude other machines that shouldn't be sending mail. For example, a file and print server or a domain server probably are NOT used for composing mail, so why not exclude them also? Printer IP's might also be excluded (though some scanner/printers are configured to use a mail server). This may seem like overkill, but it will also help point out unexpected usage.

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Router configured to present an internal IP address instead of an external address

1 comment

Inexpensive and informative Apple related e-books:

Take Control of OS X Server

Take Control of iCloud

Sierra: A Take Control Crash Course

Take Control of Upgrading to El Capitan

Are Your Bits Flipped?

More Articles by © Anthony Lawrence

Sat Mar 10 20:31:33 2012: 10726   NickBarron


Ah interesting!

Lovely little trick that of the Zyxell, its not default behave for the higher models that I have seen. (Zyxell USG I think)

Strange little quirk. I will look to amend the definition of local though for some of our clients with internal mail servers.

Thanks Tony, good to see a few posts on here recently.



Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Thunder is good, thunder is impressive; but it is lightning that does the work. (Mark Twain)

Linux posts

Troubleshooting posts

This post tagged:


Kerio Info

Kerio Pricing

Kerio RSS Feed




Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode