The sendmail program is only as secure as the system on which it is running. Correcting permissions and the like is useful only if such corrections are systemwide and apply to all critical system files and programs.
Time spent tightening security at your site is best spent before a break-in occurs. Never believe that your site is too small or of too little consequence. Start out by being wary, and you will be more prepared when the inevitable attack happens.
Get and set up identd(8) at your site. When queried about who established a network connection, it returns the login identity of the individual user. Become a good network citizen.
Multimedia mail, such as MIME, is more difficult, but not impossible, to forge.
Newer versions of perl(1) object to PATH environmental variables
that begin with a dot (such as .:/bin:/usr/bin
). V8 clears
the PATH variable before executing programs in a user's ~/.forward
file. Some shells put it back with the dot first. Under such versions
of the Bourne shell, execute perl(1) scripts like this:
|"PATH=/bin:/usr/bin /home/usr/bin/script.pl"
There is no check in the T
command that the names listed are names
of real users. That is, if you mistakenly enter Tuupc
when you really meant Tuucp
, pre-V8 sendmail remained silent
and UUCP mail mysteriously failed. V8.7 and above sendmail
logs warning messages.
Many fine books and papers are available that can help you to improve the security at your site. A few are listed in the bibliography at the end of this book.