- First, most hosts do not need to receive mail from remote machines
(clients mostly connect to remote IMAP servers these days)
and so your mail-transport-agent (MTA), e.g., sendmail need
not be run in daemon mode (need not be started via the init
scripts) and need not listen to the network.
- If an MTA is needed, it is usually only for sending and
receiving mail locally, or for sending via a "smart" host,
for example, to see the output of cron
scripts. In this case configure the MTA to listen to
- Ensure your MTA is not configured as an open-relay (i.e., it will not
route email for anyone who requests it) — open relays are a major
hindrance in the fight against Spam.
Details specific to Sendmail and Exim are given below.
At the time of writing, sendmail has had few recent security-related
problems and patches, but its history is not so good --- it's had more than
its fair share of holes (e.g., those due to buffer overflows). In addition,
sendmail is notoriously difficult to configure, compounding other
- Shutdown if not needed. e.g.
and change any entries /etc/rc?.d/S*sendmail to
- To ensure sendmail is listening on only 127.0.0.1
edit /etc/mail/sendmail.mc so that the following
DAEMON_OPTION is in place and not commented out:
dnl # The following causes sendmail to only listen on the IPv4
dnl # loopback address 127.0.0.1 and not on any other network devices.
dnl # Remove the loopback address restriction to accept email from the
dnl # internet or intranet.
and run /etc/mail/Makefile in order to update sendmail.cf.
Finally, restart sendmail.
- Closed relay...
- Finally, the Sendmail Restricted Shell, smrsh, can be used.
It is intended as a replacement for sh for use in the "prog"
mailer in sendmail configuration files. It sharply limits
the commands that can be run using the |program syntax
thus improving the security of your systemm. (If an intruder can get
sendmail to run a program without going through an alias or
forward file, smrsh limits the set of programs that he or she