As one of the most enduring Unix applications and one of the most ubiquitous, sendmail has been the target of numerous attacks over the years – from buffer overflows to denials of service. And, even with constantly improved security, sendmail can be prodded into a state of improved security through a number of quick fixes that any sysadmin can make to reduce the vulnerability of their sendmail servers.
To remove the version information from the sendmail greeting, all you need to do is remove the “$v/$Z” string from this line in your /etc/mail/sendmail.cf file:
# SMTP initial login message (old $e macro) O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
In fact, you might consider removing the word “sendmail” as well, making the greeting even more non-descript:
# SMTP initial login message (old $e macro) O SmtpGreetingMessage=$j mailserver; $b
When you make this change and restart sendmail, your greeting, which might have previously looked like this:
220 x.xyz.org ESMTP Sendmail 8.13.3/8.13.3; Thu, 3 Mar 2005 15:52:37 -0500 (EST)
will look like this instead:
220 x.xyz.org ESMTP mailserver; Thu, 3 Mar 2005 15:52:37 -0500 (EST)
You can set a maximum message size by both uncommenting and setting an upper limit on the MaxMessageSize parameter. These lines in your sendmail.cf file:
# maximum message size #O MaxMessageSize=0
would be changed to look like those shown below. Be sure to consider attachments and select a limit which is appropriate to your site. The MaxMessageSize parameter is expressed in bytes.
# maximum message size O MaxMessageSize=500000
Similarly, the MaxRecipientsPerMessage parameter can be set in these lines:
# maximum number of recipients per SMTP envelope #O MaxRecipientsPerMessage=0
The modified lines might look like these:
# maximum number of recipients per SMTP envelope O MaxRecipientsPerMessage=10
# privacy flags O PrivacyOptions=authwarnings
to the more restrictive settings:
# privacy flags O PrivacyOptions=goaway,restrictmailq,restrictqrun
The “goaway” setting expands to “authwarnings, noexpn, novrfy, needmailhelo, needexpnhelo, needvrfyhelo”. That's a lot of settings for one 6-letter word. Some don't actually enhance privacy, but simply require that clients issue the HELO command before issuing other commands or add extra headers to guard against spoofing.
The goaway setting essentially disallows SMTP status queries. In particular, it denies use of the VRFY and EXPN commands. Here is a brief explanation of each of these privacy settings:
The needmailhelo setting, for example, will not allow a client to begin the exchange of message data without first issuing the HELO command:
# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 x.xyz/org ESMTP mailserver; Thu, 3 Mar 2005 11:13:45 -0500 (EST) mail from: slee@thefarm.org 503 5.0.0 Polite people say HELO first
The vrfy command causes sendmail to verify whether it will accept the presented email address. The expn command is similar, but will also expose the list of members if the address is a mutiple-user alias. The novrfy and noexpn options squelch these commands, preventing anyone from communicating with your mail servers to determine the identities of your users.
When noexpn is used, for example, an expn request will result in a response like that shown below:
expn henrystocker 502 5.7.0 Sorry, we do not allow this operation
The two additional privacy options included in the privacy flags suggested above (this particular set is often selected as shown) further limit the information that sendmail is willing to divulge:
restrictmailq Restrict mailq command restrictqrun Restrict -q command line flag
The changes described above are all easy fixes because you don't have to rebuild sendmail in order to use them. Simply edit your sendmail.cf file and then restart sendmail. There are many other ways in which sendmail security can be enhanced and its resistance to spam greatly improved.
Discussion