Open Mail Relay Security Guidelines
This document contains the following sections:
- Applies to
- Purpose of the Guideline
- Definition / Clarification
- Guideline Statement
- User Responsibilities and Procedures
- Revision History
Early in the Internet's history, the network was far less stable, and had fewer alternate routes between points than it does today. Because of this, mail relaying was a "service" that people provided which helped to ensure that e-mail was deliverable. When a specific node in a path to a particular site was down, a mail relay could "forward" the message to the target site, and stop the mail from bouncing back to its originator. Over time, the Internet has become more stable in this regard, and open mail relays are no longer necessary. Further, since they allow spammers to send out their messages and hide their tracks to some extent, what once was a voluntary service, is now a disservice.
Groups or departments who maintain a mail server.
The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to mail servers and open mail relays.
This guideline was established to ensure that the Carnegie Mellon University community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
Spammers: The problem with relaying e-mail occurs when outside users seek out a machine which allows relay, and abuse the relay by sending "spam." Spam can be defined as unsolicited e-mail such as solicitations or advertisements. By relaying mail, spammers can cut down on their e-mail load, make their messages less traceable, deflect attention from themselves, or work around restrictions. For example, it's difficult to determine the origination point of an outside user message that has been relayed. The "from" line information is undependable; and relying on the IP address would cause problems for users who are running clients outside of Carnegie Mellon University's network. In general, the relaying of spam has a negative impact on the university's network, mail server, and human resources, as well as the reputation of Carnegie Mellon University.
If you are running a mail server, the SMTP (Simple Mail Transfer Protocol) agent should be turned off unless absolutely necessary and with approval from the Information Security Office. If you do need to provide this service, make sure that it is configured to NOT offer open relay.
If not absolutely necessary, groups or departments should not enable a mail server. If groups or departments do need to provide a service which requires running a mail server, ensure that it is configured to NOT offer open relay and contact the Information Security Office to make us aware of the sitatuon.
|Updated:||03/02/2021||Removed outdated information on Windows 2000 and Windows XP. Updated User Responsibilities and Procedures. Updated link to Microsoft Guidelines for Securing IIS.|