Hardening Sendmail

Mick examines sendmail's security controversies and builds an SMTP gateway for handling internet mail.

Ah, sendmail. You either love it for being so versatile and ubiquitous, or you hate it for being bloated, complicated and insecure. Or perhaps you're a complete newcomer to the e-mail server game and would like to give sendmail a try (after all, sendmail is arguably the most popular open-source software package on the Internet).

Well, contrary to popular belief, sendmail isn't a total loss where security is concerned, nor does it require learning the arcane syntax of sendmail.cf (although hardcore sendmail gurus do indeed master it). This month we examine these and other sendmail security controversies, using sendmail's handy m4 macros to rapidly build a secure but functional Simple Mail Transport Protocol (SMTP) gateway to handle internet mail.

Why (or Why Not) Use Sendmail?

Sendmail is one of the most venerable internet software packages still in widespread use. It first appeared in 4.1c BSD UNIX (April 1983), and to this day it has remained the most relied-upon application of its kind. Among message transfer agents (MTAs), sendmail is the great workhorse of the Internet, transferring e-mail between networks dependably and (to end users) transparently. But sendmail has both advantages and disadvantages.

On the good side, sendmail has a huge user community, with the result that it's easy to find both free and commercial support for it, not to mention a wealth of electronic and print publications. It's also stable and predictable, due to its maturity.

On the negative side, sendmail has acquired a certain amount of cruft (old code) over its long history, with the result that it has a reputation of being insecure and bloated. Both charges are open to debate, however. It's true that it has had a number of significant vulnerabilities over the years. However, these have been brought to light and fixed rapidly.

As for the “bloatware” charge, it's true that sendmail has a much larger code base than other MTAs such as qmail and Postfix, and a larger RAM footprint too. This probably has at least as much to do with the fact that sendmail is monolithic (one executable provides most of sendmail's functionality) as it does with cruft. Indeed, sendmail's code has been scrutinized so closely by so many programmers over the years that it's a little hard to believe that too much cruft (i.e., code that is strictly historical and obsolete) has survived intact over the past 20 years.

It's much more useful to observe that being monolithic, sendmail must run as root if any portion of its required functionality does, i.e., writing mail to multiple users' home directories. For this reason, sendmail can run only as an unprivileged user on systems on which it's to act solely as an e-mail relay or gateway.

Sendmail also is criticized for its complexity. The syntax of its configuration file, sendmail.cf, is non-instinctive to say the least—in my opinion, its difficulty ranks somewhere between C programming and regular expressions. As with these, this is because of how powerful sendmail is (though many of us do wish sendmail used C, regular expressions or some other standard configuration language in sendmail.cf rather than its own equally complex but much more proprietary syntax). Nowadays, though, this point is largely moot. Recent versions of sendmail can be configured via m4 macros, which provide a much less user-hostile experience than editing sendmail.cf directly.

Mick's Disclaimer

Regardless of one's opinions on sendmail, it's unquestionably a powerful and well-supported piece of software. If sendmail's benefits are more compelling to you than the negatives, you're in good company. But you'll be in even better company if you learn to run sendmail securely.

Sendmail Architecture

As mentioned earlier, sendmail is monolithic in that it does all its real work with one executable, sendmail. Sendmail has two modes of operation: it can be invoked as needed, in which case it will process any queued mail and then quit; or it can be run as a persistent background dæmon.

Dæmon mode is required only when sendmail's role is to receive mail from external hosts; if all you use sendmail for is sending mail, you shouldn't run sendmail as a dæmon, and in fact you can probably stop reading now, because sendmail really doesn't need any customization to do this unless you wish to run it chroot-ed.

The way sendmail works, then, depends on how it's being run. If it's running as a dæmon (i.e., with the -bd flag), it listens for incoming SMTP connections on TCP port 25 and periodically tries to send any outbound messages in its queue directory /var/spool/mqueue. If it's being invoked on the fly, it attempts to deliver the outbound message it's been invoked to send and/or checks /var/spool/mqueue for other pending outbound messages.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

change /var/spool/mail

Luis Cuenca's picture

I need help abuot the configuration of the sendmail
what is the configuration to change the MAIL_DIR /var/spool/mail to other direcction?

sendmail Doubt

Dominic's picture

Hai,will sendmail work as SMTP server with out any authentication for
users those who are sitting remotely.i don't want put it as open rely.but only the @abc.com domain user can relay mail from both local and remote locations with out any authentication.Is it possible ?


Re: Paranoid Penguin: Hardening Sendmail

viking's picture

does sendmail support maildir.. using IMAP using old bsd format email load cpu usage high/.. i am using Postfix and Courier IMAP..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Yes it does. It probably supports anything, you just have to tell Sendmail which filter it uses to make local deliveries. Especifically for maildirs you can use the maildrop delivery filter. Use Google to find out more about "maildrop".

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This article is useless... What a waste of my time....

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Then don't read it... moron.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not to me, it really did help me

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not useless in the least... you saved my newbie butt! I'm a complete newb with linux, but my company needed a simple mailserver (aside from our usual Novell boxes) to relay certain types of email (coming from specific servers) out the door. Linux and sendmail seemed to be the smart choice.

Your article helped me more than I can say. I've printing out and read pieces and parts of instructions from all overon how to deal with sendmail... and none of them explained it clearly enough (or in detail enough for a beginner) to get me started. Now that I understand the basics, I have plenty of experimenting I can do. Eventually I see us using a linux machine as a firewall for incoming email too.

I'm now in love with linux, and it's not in small part due to your article.

Thanks a ton,


Configuring Sendmail

Anonymous's picture

Check out Install-Sendmail which'll configure Sendmail. It's horribly easy to run and I'm going to look at some of the advice here for future improvements..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I wonder if it's a joke mistakingly posted two weeks in advance or if Bauer placed the wrong posting date by mistake. I am not kidding.


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

> Here is a simple access file:

> localhost.localdomain RELAY

> localhost RELAY


You shouldn't use the entries above in your access db. They're useless as sendmail will work without it. On the other hand, most RBLs (e.g. ORDB) will detect your machine as open mail-relay and put it in their blackhole database. All entries above should be set to REJECT.


A. Danzer

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This will only open your machine for relaying from localhost, although the top 2 lines are useless and can be exploited with some dns poisoning.

You shouldn't reject mail from should you? Sounds stupid to me.


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Setting these lines in the access.db doesn't block people from using the server to send junk to users on the local machine.

I'm looking for a solution to that problem if anyone is up for the chalange...

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I have these lines in my sendmail access db; they've been there for years. I'm running the latest RedHat OEM'ed sendmail right now.

ORDB has just tested me for open relays and found nada, so there must be more to the problem than you think.

PS - my domain does both ingress and egress filtering, and those names are in the local DNS as well, so that may be why it works for me.

--The Rev

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Good overview article.

> ... sendmail must run as root if any portion of

> its required functionality does, i.e., writing

> mail to multiple users' home directories.

This isn't necessary. You can run sendmail as an ordinary user account and use group "mail" as the means to do the writing into /var/mail or other mail files.

The sendmail maintainers appear to have made a lot of progress in making sendmail's security more robust over the last several years.

Part of the reason its still so big as a whole is it can probably do more mail delivery tricks (processing, delivery means (TCP/IP, uucp, etc.), etc.) than other MTAs.

The default behavior since Sendmail 8.8 or so (as I recall) is to not relay mail.

If security is a real concern, you probably want an SMTP proxy host in front of your mail server. smtpd is a good solution. It acts as a store and forward mail gateway which strictly enforces the SMTP mail rules. You can also use tcp wrappers, and the MAPS Realtime Blackhole List with smtpd.

A well configured mail proxy on a secured system (OpenBSD or one of the security oriented linux distros make a great choice) talking to a mail host with a user mode chrooted sendmail for delivery will wear out most crackers before they compromise your mail server.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Is there a free rbl site that has opened up in the wake of rbl requiring a contract with them (even for so-called free for individuals)?


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Sendmail does sanity checks on its environment at start up. A group writeable directory is considered to be a security issue, so sendmail will not start.