Sendmail No MTA
danishenglishPDF-icon
Security6.net logo

Sendmail No MTA configuration

What is Sendmail?

Sendmail is a Message Transfer Agent and has evolved into a general purpose internetwork mail routing facility under the UNIX® operating system. (Partial quote from the Sendmail Installation and Operation Guide from http://www.sendmail.org)

Sendmail has been great and has delivered mail on the internet for decades, from the time when multiple mail protocols were necessary, across UUCP links and using various adressing forms. Unfortunately this has made Sendmail a very complex program and multiple security vulnerabilities allowing remote command execution has been found again and again in Sendmail.

Today I do NOT recommend Sendmail as a MTA for receiving mail. I recommend Postfix as this MTA is much easier to configure, has security enabled by default and is also very efficient.

Then what is this page about really?

Sendmail is available by default on many UNIX operating systems. Every UNIX server should at least be able to send mail, daily security reports etc. Not all UNIX servers should be able to receive mail. With this in mind it is often enough just to reconfigure the default Sendmail to only be able to send mail from the system.

This page is about configuring Sendmail to only listen on localhost port 25 - which is the SMTP port.

OpenBSD with Sendmail confined to localhost

OpenBSD already comes with Sendmail and a nice localhost.cf that can be used for confining Sendmail to localhost.

I mention this since people might want to use that as a template for rolling their own Sendmail No MTA configurations. Please see the OpenBSD website at http://www.openbsd.org for information, manuals and sourcecode.

The file I am talking about is the localhost.cf and can be installed like this:
    # cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig

    # cp /etc/mail/localhost.cf /etc/mail/sendmail.cf
# pkill -HUP sendmail

AIX with Sendmail confined to localhost

AIX is bad when it comes to Sendmail.

AIX has often included an older version than current and for many years the default configuration would allow relaying - making your server an instant target for abuse by spammers.
You should reconfigure your Sendmail to only listen on localhost by using the instructions from the IBM manual pages at
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.files/doc/aixfiles/sendmail.cf.htm

To be able to send mail but not receive mail on a system, edit /etc/mail/sendmail.cf: 
    # O DaemonPortOptions=Name=MTA
    
O DaemonPortOptions=NAME=NoMTA4, Family=inet, Addr=127.0.0.1

Remember to restart Sendmail afterwards 
kill -HUP `head -1 /etc/sendmail.pid`