Carnegie Mellon University

Open Mail Relay Security Guidelines

This document contains the following sections:


Early in the Internet's history, the network was far less stable, and had fewer alternate routes between points than it does today. Because of this, mail relaying was a "service" that people provided which helped to ensure that e-mail was deliverable. When a specific node in a path to a particular site was down, a mail relay could "forward" the message to the target site, and stop the mail from bouncing back to its originator. Over time, the Internet has become more stable in this regard, and open mail relays are no longer necessary. Further, since they allow spammers to send out their messages and hide their tracks to some extent, what once was a voluntary service, is now a disservice.

Applies to

Groups or departments who maintain a mail server.

Purpose of the Guideline

The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to mail servers and open mail relays.

This guideline was established to ensure that the Carnegie Mellon University community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be reflected on this web page.


Open Mail Relays: Mail systems which allow unauthenticated e-mail messages to be sent from an off-campus sender to another off-campus sender using an on-campus machine as a relay point. This allows spammers to send out their spam messages, and to the uninitiated, it appears that the spam originated from the on-campus "relay" machine.

Spammers: The problem with relaying e-mail occurs when outside users seek out a machine which allows relay, and abuse the relay by sending "spam." Spam can be defined as unsolicited e-mail such as solicitations or advertisements. By relaying mail, spammers can cut down on their e-mail load, make their messages less traceable, deflect attention from themselves, or work around restrictions. For example, it's difficult to determine the origination point of an outside user message that has been relayed. The "from" line information is undependable; and relying on the IP address would cause problems for users who are running clients outside of Carnegie Mellon University's network. In general, the relaying of spam has a negative impact on the university's network, mail server, and human resources, as well as the reputation of Carnegie Mellon University.

Guideline Statement

If you are running a mail server, the SMTP (Simple Mail Transfer Protocol) agent should be turned off unless absolutely necessary and with approval from the Information Security Office. If you do need to provide this service, make sure that it is configured to NOT offer open relay.

User Responsibilities and Procedures

Groups or departments should consider if running a mail server is necessary. Many groups at Carnegie Mellon University including Computing Services, the Pittsburgh Supercomputing Center, the Software Engineering Institute, Computer Science, Electrical and Computer Engineering, and others, provide central mail servers. Most of these are provided for members of the specific school or department. Computing Services provides a campus wide mail server via your Andrew ID and Cyrus account. Because of this, it is unlikely that most users have a real need to run their own mail server.

If not absolutely necessary, groups or departments should not enable a mail server. If groups or departments do need to provide a service which requires running a mail server, ensure that it is configured to NOT offer open relay and contact the Information Security Office to make us aware of the situation.

Revision History

Status:  Date Description
Published:  06/08/2004  Initial document
Updated:  11/03/2005
Updated: 03/02/2021 Removed outdated information on Windows 2000 and Windows XP. Updated User Responsibilities and Procedures. Updated link to Microsoft Guidelines for Securing IIS.
Updated: 09/13/2023 Fixed link and made clerical edits