Relaying Denied

Note: users experiencing "Relaying Denied" errors should update their SMTP server (outgoing mail server) settings to use the University's authenticated SMTP server. This server will not generate these kinds of errors. See here for the server information.

Problem:

I'm off campus and I keep getting the error "Relaying Denied" when sending mail. What's going on?

Solution:

You will receive this error message when all three of the following are true:

  1. You are off-campus using an external Internet Service Provider (ISP)
  2. Your email program's SMTP server (sometimes called the outgoing mail server) is smtp.uchicago.edu
  3. Your are trying to send email messages to addresses outside the uchicago.edu domain

The conditions listed above correspond with the behavior of a spammer; correspondingly NSIT email servers restrict their services to user's whose affiliation with the University has been established. There are two reliable methods for avoiding these problems:

  1. Use the University's dial-up service instead of an outside ISP
  2. Contact your ISP for information about their SMTP server, and use that instead of the University's

Explanation

Relaying is the process that sends mail from anyone to anywhere; it's what allows Internet mail to work. An SMTP (Simple Mail Transfer Protocol) server accepts mail for a recipient and then passes it on (or "relays" it) to the proper destination. "Open relaying" is when an SMTP server accepts mail not intended for a local recipient from any source and forwards it to an outside server. By default, SMTP servers make no attempt to verify the sender's identity or location. In the days before commerce took over the Internet, it was assumed that email would be used by sites and users for legitimate communication. Now open relay is exploited by spammers.

"Spam" is unsolicited commercial email; the most typical are sales solicitations, chain letters, and scams. It's the electronic equivalent of junk mail that arrives with postage due and with no way to refuse delivery or payment. Spammers use the relaying facility of SMTP servers to mask the spam's origin by relaying it through third party servers that allow open relay. This makes the spam appear to come from the site that relays the mail and conceals the spammer's identity as the real sender. This has made relaying a liability for many sites.

User groups have formed to create ways to counter spam. One of the more popular methods is blacklisting. "Blacklisting" blocks delivery of ALL mail from sites that allow open relaying. This is done by using "real time black hole" (RTBH) databases that list sites known to deliver spam, whether they meant to or not. Sites that want to eliminate spam can set their mail servers to query these databases to determine if the source site is a "known spam site", and reject any mail from servers on the list. One of the primary criteria for being listed in RTBH is having an open relay – it doesn't matter if any spam is actually being sent through your open relay. RTBH databases will blacklist you because spammers could send spam through your server.

As more and more sites began to invoke RTBH databases, NSIT found more and more of our legitimate email being rejected by various organizations because our servers were listed in these databases as being an open relay. As a result, we have closed our relay. This has the effect of blocking all email being sent to non-uchicago.edu addresses from machines outside the uchicago.edu domain -- that is, if you try to send email to someone not affiliated with the University, from a machine which is not either on campus or dialed into the University modem pool, your message will be rejected (and you'll get a "Relaying Denied" error message).

Since many members of the University configured a way for those people to authenticate themselves to our mail server and use it to send email even from outside. Whenever you check mail from an outside ISP, the mail server takes note of that and authenticates your machine for sending mail for the next 30 minutes. This will only work if you are checking mail for a NSIT account; if you are checking mail on a GSB, BSD, or other departmental server, you will not be authenticated on the SMTP server for outgoing mail.

Last updated: 10/03/06