Anti-Relay Resources

A lot of the Unix systems on campus are still running versions of the sendmail software that allow anyone on the Internet to relay mail through those systems to anyone else on the Internet. An increasing number of "spammers" are exploiting such open mail relays to disguise the true source of the junk mail they send, causing performance problems for the systems, and leading to complaints sent to campus.

IST is working on a policy to require departmental administrators to close the open relays on their systems. Rather than wait for the policy, it's to your advantage to upgrade your mail systems anyway, before the spammers find and exploit them. Here are some links to information about the email relay problem on campus, and resources for closing open relays on your Unix systems.

• WWW.Sendmail.org distributes Berkeley sendmail. The latest versions disable relaying by default. Their web page also has links to other sendmail-related resources. See: http://www.sendmail.org/
• Claus Assman maintains web pages with lots of useful information on configuring sendmail, including several different methods of blocking third-party relays. See:
  • http://www.informatik.uni-kiel.de/%7Eca/email/misc.html
  • http://www.informatik.uni-kiel.de/%7Eca/email/english.html
• If you really have to support roving users sending email from outside ISP's, try "POP before SMTP" to authenticate your users before allowing them to relay. This will take some work to configure on your server, and may require a modified version of the POP daemon. See:
  • http://www.iecc.com/pop-before-smtp.html
  • http://spam.abuse.net/tools/smPbS.html
  • http://www.cynic.net/~cjs/computer/sendmail/poprelay.html.
• Other programs besides sendmail are available. One of the most popular for Unix systems is qmail. See http://www.qmail.org/.
• The Winter 1999 issue of Berkeley Computing and Communications contains an article on mailhost.Berkeley.EDU and why its relay service is going away. See http://istpub.berkeley.edu:4201/bcc/Winter99/
• You can test your mail server to see if it's running an open relay by using http://www.abuse.net/relay.html

• You may not need to run a sendmail daemon at all. If you don't normally receive mail on your Unix workstation, you can disable the daemon, and redirect incoming mail to a different server:
  • Configure (or ask the administrators to configure) the server to accept mail addressed to your workstation.
  • Contact hostmaster@nic.berkeley.edu or your departmental hostmaster to set up an MX record for your workstation pointing to the mail server.
  • Set up a cron job to process the outgoing mail queue periodically; at 15-minute intervals, for example.
  • You may need to reconfigure some mail programs (such as pine) to use your mail server instead of "localhost".

Contact nsweb@berkeley.edu for more information.