[SOLVED] Sendmail security options

bozzo99 · 12-01-2010, 10:11 AM

Hi,

I’m an Oracle DBA and started working for my current employer about 4 months ago. This past weekend an alert re: FS space brought my attention to /var/spool/clientmqueue (full of mail re: cron jobs) and the fact that sendmail is not running on our Linux servers.

I’m told that the IT security team deemed sendmail too vulnerable so we don’t run it.
Aside from FS filling up and missing notification of issues with crontab entries, I’m concerned that we may be missing notification of potential issues. In other Unix/Linux environments I’ve seen emails from the print daemon when it experienced problems with specific jobs.

Are there other Linux facilities aside from cron and lpd that use email to advise the users of possible issues ?

Are there ways to secure sendmail or secure alternatives to sendmail ?

My primary need/desire is to make sure that emails regarding issues on the server get to the appropriate users. Secondary goal would be to have the ability to use mailx to send mail out. There is No need/desire to receive mail from outside.

Running “Red Hat Enterprise Linux AS release 4”
Any suggested references would be appreciated.

Thanks

TB0ne · 12-01-2010, 10:28 AM

Quote:

Originally Posted by bozzo99

Hi,
I’m an Oracle DBA and started working for my current employer about 4 months ago. This past weekend an alert re: FS space brought my attention to /var/spool/clientmqueue (full of mail re: cron jobs) and the fact that sendmail is not running on our Linux servers.

I’m told that the IT security team deemed sendmail too vulnerable so we don’t run it.
Aside from FS filling up and missing notification of issues with crontab entries, I’m concerned that we may be missing notification of potential issues. In other Unix/Linux environments I’ve seen emails from the print daemon when it experienced problems with specific jobs.

Are there other Linux facilities aside from cron and lpd that use email to advise the users of possible issues ?

Are there ways to secure sendmail or secure alternatives to sendmail ?

My primary need/desire is to make sure that emails regarding issues on the server get to the appropriate users. Secondary goal would be to have the ability to use mailx to send mail out. There is No need/desire to receive mail from outside.

Running “Red Hat Enterprise Linux AS release 4”
Any suggested references would be appreciated.
Thanks

Well, I agree with shutting down services if they're not required, so in part, I agree with your security team. However, you CAN run sendmail as a send-only service, to cut down on the risk. A good first step would be to check with your team, to see if there is already an internal mail relay server. If so, check out setting up sendmail to use it as a relay server. You can edit the sendmail.cf file with a "DS=<name/address of relay host>", then your mail should be shoveled along to the other server, to be dealt with. Then put your alerts into a valid email box on your internal mail server, and away you go.

Other jobs that use sendmail? Lots...or none, depending on how you set them up, and if you want to see alerts or not. Everything can be tailored. And yes, there are ways to secure sendmail (dovecot, cyrus, etc.), but if you don't need mail on that box, setting up a simple relay to your already existing server is the easiest. You could also write a script to purge the file when it gets to a certain size, keeping the last xxxx amount of data, to make sure you don't miss anything important.

And I'm sure you'll also get the suggestion to call RedHat support, since you're paying for it with your RHEL subscription.