Disabling the Sendmail daemon for outgoing mail

Are you only sending outgoing mail with Sendmail? If you do not need to process incoming SMTP mail, disable the Sendmail daemon for improved security. Please read the excellent article Improving Sendmail Security by Turning It Off for more information.

Beginning with Sendmail 8.12.x, the default behavior of the Message Submission Process (MSP) is to send outgoing mail through the local Message Transport Agent (MTA) process. In other words, in order to send outgoing mail, you need to run Sendmail in daemon mode. Even if Sendmail is configured to only listen on the loopback interface, running Sendmail in daemon mode could lead to local privilege escalation if a security vulnerability in Sendmail is discovered.

Instead of using a local MTA to send outgoing mail, Sendmail can be configured to use a different MTA. Therefore, outgoing mail will be relayed through your mail gateway, and you will not have to run Sendmail in daemon mode.

To use a different MTA to relay outgoing mail with Sendmail 8.12.x and later, make the following changes:

1. Modify the MSP macro configuration (submit.mc) file.
cd sendmail_source_tree/cf/cf
cp submit.mc submit.mc.original
vi submit.mc

Change:
FEATURE(`msp', `[127.0.0.1]')dnl

To:
FEATURE(`msp', `your_mail_relay_or_MX_record')dnl

2. Build and install the MSP configuration file.
sh Build submit.cf
cp submit.cf /etc/mail


3. If you are running Sendmail in daemon mode (i.e. a Sendmail process running with the -bd flags), terminate the process. If applicable, modify the Sendmail startup/shutdown script (/etc/init.d/sendmail) so that Sendmail is not started in daemon mode.

ex. Comment or remove the following lines in /etc/init.d/sendmail:

# Start the MTA

/usr/lib/sendmail -L sm-mta -bd -q30m

Back to brandonhutchinson.com.
Last modified: 04/19/2005