Sendmail used to be a way for a cracker to obtain root access to a host system.
Sendmail now has a lot of configuration options available to you to help secure your e-mail environment.
Some of the things you can do to improve security on your system include:
Tightening up the privacy options
Checking the postmaster and abuse mail boxes for messages
Checking your file permissions
Checking your "Maximum" options
Checking your timeout settings
Using smrsh to restrict which programs end users are allowed to run
Setting up and using unsolicited commercial e-mail tools
Properly configuring relaying
Using Transport Layer Security formerly called Secure Sockets Layer
Using SMTP Authentication
Using an access database for access control
Disabling the "finger" service on your server
Sendmail is very particular about the modes of files that it reads or writes. For example, by default it will refuse to read most files that are group writable on the grounds that they might have been tampered with by someone other than the owner; it will even refuse to read files in group writable directories. Also, Sendmail will refuse to create a new aliases database in an unsafe directory. You can get around this by manually creating the database file as a trusted user ahead of time and then rebuilding the aliases database with newaliases.
If you want Sendmail to check the file permissions of database files, class files, and aliases files, use:
sendmail -v -d44.4 -bv postmaster
Although the authors of Sendmail have gone to great lengths to make Sendmail a secure program, you might feel that they've gone too far. If so, you can turn off several security checks using the "Don't Blame Sendmail" security settings.
In your sendmail.cf file, these options would follow the syntax of:
O (uppercase oh) DontBlameSendmail=ClassFileInUnsafeDirPath
In the descriptions that follow, "unsafe directory" means a directory that is writable by anyone other than the owner. The values are:
Safe - No special handling.
AssumeSafeChown - Assume that the chown system call is restricted to root. Since some versions of UNIX permit regular users to give away their files to other users on some filesystems, Sendmail often cannot assume that a given file was created by the owner, particularly when it is in a writable directory. You can set this flag if you know that file giveaway is restricted on your system.
ClassFileInUnsafeDirPath - When reading class files allow files that are in unsafe directories.
DontWarnForwardFileInUnsafeDirPath - Prevent logging of unsafe directory path warnings for non-existent forward files.
ErrorHeaderInUnsafeDirPath - Allow the file named in the ErrorHeader option to be in an unsafe directory.
FileDeliveryToHardLink - Allow delivery to files that are hard links.
FileDeliveryToSymLink - Allow delivery to files that are symbolic links.
ForwardFileInGroupWritableDirPath - Allow .forward files in group writable directories.
ForwardFileInUnsafeDirPath - Allow .forward files in unsafe directories.
ForwardFileInUnsafeDirPathSafe - Allow a .forward file that is in an unsafe directory to include references to programs and files.
GroupReadableKeyFile - Accept a group-readable key file for STARTTLS.
GroupReadableSASLDBFile - Accept a group-readable Cyrus SASL password file.
GroupWritableAliasFile - Allow group-writable aliases files.
GroupWritableDirPathSafe - Change the definition of "unsafe directory" to consider group-writable directories to be safe. World-writable directories are always unsafe.
GroupWritableForwardFile - Allow group writable .forward files.
GroupWritableForwardFileSafe - Accept group-writable .forward files as safe for program and file delivery.
GroupWritableIncludeFile - Allow group writable :include: files.
GroupWritableIncludeFileSafe - Accept group-writable :include: files as safe for program and file delivery.
GroupWritableSASLDBFile - Accept a group-writable Cyrus SASL password file.
HelpFileInUnsafeDirPath - Allow the file named in the HelpFile option to be in an unsafe directory.
IncludeFileInGroupWritableDirPath - Allow :include: files in group writable directories.
IncludeFileInUnsafeDirPath - Allow :include: files in unsafe directories.
IncludeFileInUnsafeDirPathSafe - Allow an :include: file that is in an unsafe directory to include references to programs and files.
InsufficientEntropy - Try to use STARTTLS even if the PRNG for OpenSSL is not properly seeded despite the security problems.
LinkedAliasFileInWritableDir - Allow an alias file that is a link in a writable directory.
LinkedClassFileInWritableDir - Allow class files that are links in writable directories.
LinkedForwardFileInWritableDir - Allow .forward files that are links in writable directories.
LinkedIncludeFileInWritableDir - Allow :include: files that are links in writable directories.
LinkedMapInWritableDir - Allow map files that are links in writable directories. This includes alias database files.
LinkedServiceSwitchFileInWritableDir - Allow the service switch file to be a link even if the directory is writable.
MapInUnsafeDirPath - Allow maps (hash, btree, and dbm files) in unsafe directories. This includes the alias database files.
NonRootSafeAddr - Do not mark file and program deliveries as unsafe if Sendmail is not running with root privileges.
RunProgramInUnsafeDirPath - Run programs that are in writable directories without logging a warning.
RunWritableProgram - Run programs that are group- or world-writable without logging a warning.
TrustStickyBit - Allow group or world writable directories if the sticky bit is set on the directory. Do not set this on systems which do not honor the sticky bit on directories.
WorldWritableAliasFile - Accept world-writable alias files.
WorldWritableForwardfile - Allow world writable .forward files.
WorldWritableIncludefile - Allow world writable :include: files.
WriteMapToHardLink - Allow writes to maps that are hard links.
WriteMapToSymLink - Allow writes to maps that are symbolic links.
WriteStatsToHardLink - Allow the status file to be a hard link.
WriteStatsToSymLink - Allow the status file to be a symbolic link.
Sendmail builds the environment for delivery agents from scratch. It defines the AGENT as Sendmail and sets the time zone variable, TZ, as appropriate. If your delivery agent requires additional environment variables to function properly, use the E configuration command:
Evar=value
If you omit, =value, then Sendmail will lookup the variable in its environment and if found, uses that value. If the, =, is present and value is absent, var is set equal to a null value.
You might want to set the option for "Safe File Environment" to ensure that Sendmail is incapable of clobbering system files. Sendmail could overwrite any file on your system, by using Safe File Environment, Sendmail is only able to write to normal files. If the file is a block or character device or any other type of file, then Sendmail will not be able to overwrite it with this option set.
Sendmail 8 is much more careful about checking for security problems than previous versions, but there are some things that you still need to watch for. In particular:
When creating databases, ensure that the database files and the input files used to create the databases are safe from other users adding entries into them.
It is absolutely imperative that no one has the ability to write to the queue directory. Doing so could allow someone to alter the contents of the messages that are waiting to be sent.
A lot of Sendmail security comes down to just you setting the right permissions on files and directories.
Next Section: Transport Layer Security - 22 of 32