Hardening Sendmail

Mick examines sendmail's security controversies and builds an SMTP gateway for handling internet mail.
The Task at Hand

Before we go any further, I should make clear what we're about to build. I've chosen the SMTP gateway scenario because it's such a common role for sendmail and because it's so dependent on good security (in most organizations, publicly accessible mail servers face scarier if not more numerous threats than internal mail servers do).

An SMTP gateway typically needs meticulous attention to privilege levels, file permissions and in general, only as much enabled functionality as is needed to route mail. On such a host, sendmail should run as an unprivileged user where possible; it should run chroot-ed (in a subset of /) at least when writing files, and it should be configured to relay mail only for your organization, not for spammers.

It takes very little tweaking to harden sendmail on Red Hat 7 for SMTP gateway use and only a little more on SuSE and other distributions.

Obtaining and Installing Sendmail

I can state with absolute certainty that your Linux distribution of choice includes one or more packages for sendmail. Whether it's presently installed on your system and whether it's an appropriate version for you to use, however, is another matter.

If you use an RPM-based distribution (Red Hat, Mandrake, SuSE, etc.), you can see whether you've got sendmail installed and which version by issuing the command rpm -qv sendmail. Note that Red Hat and its derivatives split sendmail into three packages: sendmail, sendmail-cf and sendmail-doc. SuSE uses a single package, sendmail.

So, what version should you run? As of this writing, the latest version of sendmail is 8.12.2. Red Hat 7 and SuSE 7, however, still support variants of sendmail version 8.11. As far as I can tell, there's nothing wrong with sticking with your distribution's supported sendmail package if it's version 8.11.0 or higher. There were no major security problems in the 8.10 or 8.11 releases; 8.11, in fact, was a “features” release: rather than being released to patch security holes, it was released because the sendmail team had added support for TLS encryption and for the SMTP AUTH extension to SMTP.

If you've got the time and/or inclination, though, it's never a bad idea to compile and install the latest stable version. For sanity's sake, I'll assume for the remainder of this article that you're using sendmail 8.10.0 or higher (unless otherwise noted).

Note to Debian Users

Debian GNU/Linux v2.2 (Potato) still supports sendmail v.8.9.3. Although this is a stable and apparently secure release, it's now two major versions old (if one considers the second numeral to represent a major version, which I do because the first numeral has been eight for half a decade). In addition, 8.9.3 doesn't support TLS or SMTP AUTH.

If you want TLS or SMTP AUTH, or are uncomfortable running an older version, you always can uninstall the package, download the latest source code tarball from www.sendmail.org and compile and install sendmail from source. The source code tarball is well documented and compiles easily under Linux, assuming you've got a working gcc installation.

Once you've installed sendmail, either in the form of a binary package from your distribution or from a source code tarball you've compiled yourself, you've still got a couple of tasks left before you can configure and run the sendmail executable as a dæmon.

SuSE Sendmail Preparation

If you're a SuSE user, become root if you aren't already. Next, open /etc/rc.config with your text editor of choice and set the variable SMTP to “yes”. This is necessary for sendmail's startup script in /etc/init.d to run at boot time.

In addition, you need to edit the file /etc/rc.config.d/sendmail.rc.config so that the variable SENDMAIL_TYPE is set to “no”. Doing so essentially will disable SuSEconfig's use of /etc/rc.config.d/sendmail.rc.config, which in other circumstances can be set up to generate a simple sendmail configuration automatically. We're going to set up an SMTP gateway/relay, which is a bit beyond the scope of sendmail.rc.config. But if your host is to act only as a simple SMTP server for its own local users, it will probably suffice to edit this file (having first set its SENDMAIL_TYPE variable to “yes”); if so, you'll find sendmail.rc.config's full documentation in /etc/mail/README.

After editing rc.config and sendmail.rc.config, run SuSEconfig. This will propagate the changes you just made to rc.config and sendmail.rc.config. To start the dæmon you can enter the command /etc/init.d/sendmail start, but I recommend you wait until sendmail is fully configured before you do so.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

change /var/spool/mail

Luis Cuenca's picture

I need help abuot the configuration of the sendmail
what is the configuration to change the MAIL_DIR /var/spool/mail to other direcction?

sendmail Doubt

Dominic's picture

Hai,will sendmail work as SMTP server with out any authentication for
users those who are sitting remotely.i don't want put it as open rely.but only the @abc.com domain user can relay mail from both local and remote locations with out any authentication.Is it possible ?


Re: Paranoid Penguin: Hardening Sendmail

viking's picture

does sendmail support maildir.. using IMAP using old bsd format email load cpu usage high/.. i am using Postfix and Courier IMAP..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Yes it does. It probably supports anything, you just have to tell Sendmail which filter it uses to make local deliveries. Especifically for maildirs you can use the maildrop delivery filter. Use Google to find out more about "maildrop".

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This article is useless... What a waste of my time....

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Then don't read it... moron.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not to me, it really did help me

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not useless in the least... you saved my newbie butt! I'm a complete newb with linux, but my company needed a simple mailserver (aside from our usual Novell boxes) to relay certain types of email (coming from specific servers) out the door. Linux and sendmail seemed to be the smart choice.

Your article helped me more than I can say. I've printing out and read pieces and parts of instructions from all overon how to deal with sendmail... and none of them explained it clearly enough (or in detail enough for a beginner) to get me started. Now that I understand the basics, I have plenty of experimenting I can do. Eventually I see us using a linux machine as a firewall for incoming email too.

I'm now in love with linux, and it's not in small part due to your article.

Thanks a ton,


Configuring Sendmail

Anonymous's picture

Check out Install-Sendmail which'll configure Sendmail. It's horribly easy to run and I'm going to look at some of the advice here for future improvements..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I wonder if it's a joke mistakingly posted two weeks in advance or if Bauer placed the wrong posting date by mistake. I am not kidding.


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

> Here is a simple access file:

> localhost.localdomain RELAY

> localhost RELAY


You shouldn't use the entries above in your access db. They're useless as sendmail will work without it. On the other hand, most RBLs (e.g. ORDB) will detect your machine as open mail-relay and put it in their blackhole database. All entries above should be set to REJECT.


A. Danzer

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This will only open your machine for relaying from localhost, although the top 2 lines are useless and can be exploited with some dns poisoning.

You shouldn't reject mail from should you? Sounds stupid to me.


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Setting these lines in the access.db doesn't block people from using the server to send junk to users on the local machine.

I'm looking for a solution to that problem if anyone is up for the chalange...

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I have these lines in my sendmail access db; they've been there for years. I'm running the latest RedHat OEM'ed sendmail right now.

ORDB has just tested me for open relays and found nada, so there must be more to the problem than you think.

PS - my domain does both ingress and egress filtering, and those names are in the local DNS as well, so that may be why it works for me.

--The Rev

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Good overview article.

> ... sendmail must run as root if any portion of

> its required functionality does, i.e., writing

> mail to multiple users' home directories.

This isn't necessary. You can run sendmail as an ordinary user account and use group "mail" as the means to do the writing into /var/mail or other mail files.

The sendmail maintainers appear to have made a lot of progress in making sendmail's security more robust over the last several years.

Part of the reason its still so big as a whole is it can probably do more mail delivery tricks (processing, delivery means (TCP/IP, uucp, etc.), etc.) than other MTAs.

The default behavior since Sendmail 8.8 or so (as I recall) is to not relay mail.

If security is a real concern, you probably want an SMTP proxy host in front of your mail server. smtpd is a good solution. It acts as a store and forward mail gateway which strictly enforces the SMTP mail rules. You can also use tcp wrappers, and the MAPS Realtime Blackhole List with smtpd.

A well configured mail proxy on a secured system (OpenBSD or one of the security oriented linux distros make a great choice) talking to a mail host with a user mode chrooted sendmail for delivery will wear out most crackers before they compromise your mail server.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Is there a free rbl site that has opened up in the wake of rbl requiring a contract with them (even for so-called free for individuals)?


Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Sendmail does sanity checks on its environment at start up. A group writeable directory is considered to be a security issue, so sendmail will not start.