Open Mail Relay Security Guidelines
This document contains the following sections:
- Applies to
- Purpose of the Guideline
- Definition / Clarification
- Guideline Statement
- User Responsibilities and Procedures
- Revision History
Early in the Internet's history, the network was far less stable, and had fewer alternate routes between points than it does today. Because of this, mail relaying was a "service" that people provided which helped to ensure that e-mail was deliverable. When a specific node in a path to a particular site was down, a mail relay could "forward" the message to the target site, and stop the mail from bouncing back to its originator. Over time, the Internet has become more stable in this regard, and open mail relays are no longer necessary. Further, since they allow spammers to send out their messages and hide their tracks to some extent, what once was a voluntary service, is now a disservice.
Groups or departments who maintain a mail server.
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to mail servers and open mail relays.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
Spammers: The problem with relaying e-mail occurs when outside users seek out a machine which allows relay, and abuse the relay by sending "spam." Spam can be defined as unsolicited e-mail such as solicitations or advertisements. By relaying mail, spammers can cut down on their e-mail load, make their messages less traceable, deflect attention from themselves, or work around restrictions. For example, it's difficult to determine the origination point of an outside user message that has been relayed. The "from" line information is undependable; and relying on the IP address would cause problems for users who are running clients outside of Carnegie Mellon's network. In general, the relaying of spam has a negative impact on the university's network, mail server, and human resources, as well as the reputation of Carnegie Mellon.
If you are running a mail server, the SMTP (Simple Mail Transfer Protocol) agent should be turned off unless you absolutely need it. If you do need to provide this service, make sure that it is configured to NOT offer open relay.
By default, IIS on Windows 2000 will install an SMTP (Simple Mail Transfer Protocol) agent which performs relaying. Unless you absolutely need the mail agent, you should turn it off by following the Microsoft Guidelines for Securing IIS. Note that IIS is NOT installed automatically by Windows 2000 or Windows XP. However you can verify if this service is installed by clicking Start > Run and typing SERVICES.MSC. Look for Internet Information Services (IIS).
Other operating systems, including most UNIX variants, allow the system administrator to enable SMTP services on the machine. Again, if you do not need to provide this service, do not enable it. If you do need to provide this service, make sure that it is configured to NOT offer open relay.
Guideline Modified: November 3, 2005
Guideline Modified: June 8, 2004