Improving the Security of Mail Services

next up previous contents
Next: Improving the Security Up: Improving Security of Previous: Improving the Security

Improving the Security of Mail Services


The following precautions should be taken to ensure secure operation of sendmail [GS91]:

  1. Verify that the version of sendmail used is recent. Older versions of sendmail have several bugs that allow security violations.

  2. Remove the ``uudecode'' and ``decode'' alias from the aliases file. This file is usually /etc/aliases or /usr/lib/aliases.

  3. For aliases that allow messages to be sent to programs, make sure that there is no way to obtain a shell or send commands to a shell from these programs.

  4. Verify that the ``wizard'' password is disable in the configuration file

  5. Verify that sendmail does not support the ``debug'' command. This can be done with the following commands:
    % telnet localhost 25
    Connected to localhost
    Escape character is ``^]''.
    220 hostname sendmail 5.61 ready at Fri, 18 Sep 92 15:10:48 EDT
    500 Command unrecognized
    If sendmail responds to the ``debug'' command with the message ``200 Debug set'', then sendmail is vulnerable to attack and should be replaced with a newer version.

John Barkley
Fri Oct 7 16:17:21 EDT 1994