Sendmail Service and Open Mail Relays

If you run any type of server, UNIX or Windows, you might be running an open email relay that can be abused by unscrupulous individual to send unsolicited email.

An open mail relay is an email sending server program that is configured in such a way that it will allow people off-campus to send mail through it to other people who are also off-campus. In general, mail sending servers should only accept email destined to or received from their local machines.

Sendmail is the most popular UNIX mail transport agent. It's not the program you use to read your mail, but rather the program that ultimately sends and receives the mail. In fact, sendmail is two programs. As a server daemon, it receives mail (and can also resend the mail it receives); but invoked as a normal program, it just sends mail that you composed. Its usage as a daemon is problematic if not configured properly, but just using it to send mail from pine or elm or mail is OK.

Why is an open relay a problem?

Open mail relays are one of the prime ways that "spammers" (people who send out large quantities of junk email to people who have not requested it) use to send their email. An open relay makes it possible for them to send large quantities of email that is either difficult or impossible to trace. Obviously, people both on- and off-campus do not like to receive this spam email, which often advertises some form of unsavory Web site or tries to involve the recipient in some type of scam.

Why do we care?

UIC is committed to being a "good network neighbor". As such, no network-connected machines on the UIC campus should be enabled to allow open relay. Obviously, anything that the UIC community can do to make the network a "better place to live" should be done. Open relays on machines on the UIC campus have already generated many complaints from outside the university and are giving UIC a bad reputation. Furthermore, there are machines on the Internet that will refuse all mail sent from an open relay, whether the mail is legitimate or not.

Many multi-user operating systems (usually UNIX variants, but also, say, Windows 2000) come with a mail program (usually sendmail) installed and set up to run by default. Even though you may not have started sendmail yourself, it is started automatically every time you boot your machine. Although the newest versions of sendmail (8.9.3 and above) come with relaying denied by default, older versions defaulted to allow relaying. Even though you may have just installed your operating system with the newest version from the vendor does not mean that you have a version of sendmail that is "clean". Vendors are typically far behind in the versions of sendmail that they release with their operating systems.

There are two ways to close an open relay:

1. The hard way: If you're running UNIX, upgrade sendmail to 8.9.3 or later.
2. The easy way: Don't run sendmail as a server. You don't need it in order to send mail. And depending on your configuration, you might also not need it to receive mail.

Whichever path you take to eliminate the problem, please note that you as the owner/maintainer of the machine are responsible for its upkeep. If you do not know how to maintain the machine, you should either learn or find someone who does. Multi-user machines (as UNIX systems are) are powerful tools, but they can be dangerous tools if they are not maintained properly.

If you have a specific question regarding following the steps below, you can email ACCC at systems@uic.edu and we will attempt to help you if we are able. We do not however, have the resources available to go to individual departments to help them resolve these issues.

If you have been notified by ACCC that you have an open relay on a machine under your control, you must to eliminate the problem within a three week period. Failure to close an open relay within this three week period will result in your machine being isolated from the network.

If you decide that you have to have sendmail running as a server, you should upgrade to sendmail version 8.9.3 or later. Remember that you don't need to run sendmail as a server to send mail. And if you use something like fetchmail, you don't even need sendmail as a server to receive mail.

Newer versions of sendmail, beginning with sendmail 8.9.3, deny relaying by default. The current version of sendmail is (as of 4/28/2000) 8.10.1.

If you are running a Redhat Linux system and prefer to use rpms, you can download the binaries, config files, and documentation.

Otherwise, you need to go to http://www.sendmail.org, download the appropriate sendmail source, recompile the program and install it by following the instructions at the Web site and in the files that come with the distribution.

You probably do not need to run sendmail as a server on your machine, even if you normally use your machine to read and send email. ACCC provides central email support of the form of netid@uic.edu along with email accounts on ACCC email service machines for people to retrieve their mail. All members of the UIC community, faculty, staff, students, and departments, are encouraged to use the ACCC email service.

Are you running sendmail as a server so that you can receive your @uic.edu email on your machine and read it locally? You don't need to run sendmail as a server to do this. Instead, consider forwarding your uic.edu email to your ACCC email account (on icarus, mailserv, or tigger) and using fetchmail to download that email from your ACCC email account to your local machine. fetchmail uses POP or IMAP to download your email to your machine and then sendmail is used as a local command to deliver it to your local account. (If you don't have an ACCC email account yet, you can open one on the Web at the ACCC Computer Account Creation Web page.)

If you use fetchmail to download email from your ACCC email account with sendmail to deliver it locally, you do not require a sendmail server on your local machine, and therefore you will never run any open relay.

The steps required to disable the automatic running of sendmail upon startup is different for different types of machines. To assist in you in disabling sendmail, we have included the required steps for a number of types of machines below. Please note that although the steps outlined below will usually work, it is possible that your system may be configured differently and the file names/locations may be slightly different.

When booted, the Solaris and Redhat Linux operating systems start programs based on scripts (or links to scripts) contained inside run-level directories. The names of the scripts in these directories start with either an "S" (indicating that a service should be started at this run level) or a "K" (which indicates that a service should be killed at this run level).

The easiest (and safest) way to disable a service on Solaris and Redhat Linux is to rename the script, or in Redhat Linux's case, scripts, that would normally start the service.

The Solaris and Redhat Linux sendmail startup script(s) are at the following locations:

Solaris:

/etc/rc2.d/S88sendmail

Linux:

/etc/rc.d/rc2.d/S80sendmail
/etc/rc.d/rc3.d/S80sendmail
/etc/rc.d/rc4.d/S80sendmail
/etc/rc.d/rc5.d/S80sendmail

Thus, to disable the service on Solaris, you would type:

mv  /etc/rc2.d/S88sendmail  /etc/rc2.d/disable.S88sendmail

This command renames the script so that its name no longer begins with a capital "S"; thus so the script will not be executed at startup.

Note that, on Linux, the sendmail startup script appears in multiple directories. It must be renamed in all directories to disable the service.

After renaming these files, restart your system, then enter:

Ps -eaf | grep sendmail

to search for sendmail processes and to verify that the sendmail process does not exist.

In HP-UX, services are either enabled or disabled based on scripts that are located in the /etc/rc.config.d directory. These scripts set environment variables that tell the O/S which services should be started during system startup.

For sendmail, the script that is of concern in HP-UX is:

/etc/rc.config.d/mailservs

To disable the sendmail service, you need to edit this file and change the line that says

export SENDMAIL_SERVER=1

to

export SENDMAIL_SERVER=0

Save the file, then restart your system and the sendmail service should be gone.

After making this change to the mailservs file, restart your system, then enter:

Ps -eaf | grep sendmail

to search for sendmail processes and to verify that the sendmail process does not exist.

AIX services are started via scripts that are usually named like:

/etc/rc.*

The most common script for sendmail to be started is in

/etc/rc.local

though it is possible for it to be in one of the other startup scripts.

To disable the sendmail service, locate the line in the rc.local file (or whichever other script that sendmail is started in on your machine) that refers to the sendmail program and comment it out by adding a # character as the first character of that line.

After making this change, restart your system, then enter:

Ps -eaf | grep sendmail

to search for sendmail processes and to verify that the sendmail process does not exist.  

ACCC does not have any SGI machines in house. If you have a SGI machine and would like to contribute the correct information for IRIX, please send email to systems@uic.edu.

If you are running Windows 2000, see Microsoft Security Bulletin MS01-037.