Sendmail Limiting Denial of Service (DOS) Attack

by on May 1, 2006 · 0 comments· LAST UPDATED May 1, 2006

in

Q. I would like to know configuration directives that will limit Sendmail Denial of Service attack.

A. Sendmail is a mail transfer agent (MTA) i.e. that transfers electronic mail messages from one computer to another. It is possible that attacker can flood the mail server with DOS (it is an attack in which no access to the system(s) is gained, but rather a loss of service is incurred i.e. your mail server will die) attack.

To avoid DOS against Sendmail server it comes with directives that can be configured via sendmail.mc macro file.

Sendmail used in various UNIX and Linux environments.

From Sendmail:

All descriptions are structured in the following way
M4 Variable Name/ Configuration/ Description & [Default]/Recommendation:

confMIN_FREE_BLOCKS
MinFreeBlocks
[100] Minimum number of free blocks on queue filesystem to accept SMTP
mail. (Prior to 8.7, this was minfree/maxsize, where minfree was the
number of free blocks and maxsize was the maximum message size. In
current versions of sendmail, use confMAX_MESSAGE_SIZE for the second
value.)
Recommended: 4000 or larger.

confMAX_MESSAGE_SIZE
MaxMessageSize
[infinite] The maximum size of messages that will be accepted (in
bytes).
Recommended: 4MB (?)

confAUTO_REBUILD
AutoRebuildAliases
[False] Automatically rebuild alias file if needed. There is a potential
for a denial of service attack if this is set.
Set to False.

confQUEUE_LA
QueueLA
[varies] Load average at which queue-only function kicks in. Default
value is (8 * numproc), where numproc is the number of processors online
(if that can be determined).
Set to 10 (depending on CPU power).

confREFUSE_LA
RefuseLA
[varies] Load average at which incoming SMTP connections are refused.
Default value is (12 * numproc), where numproc is the number of
processors online (if that can be determined).
Set to 8 (depending on CPU power).

confMAX_DAEMON_CHILDREN
MaxDaemonChildren
[undefined] The maximum number of children the daemon will permit. After
this number, connections will be rejected. If not set or confMAX_HEADERS_LENGTH
MaxHeadersLength
[undefined] Maximum length of the sum of all headers.
Set to 32 or 64K

confMAX_MIME_HEADER_LENGTH
MaxMimeHeaderLength
[undefined] Maximum length of certain MIME header field values.
Set to 1024 or less.

confMAX_RCPTS_PER_MESSAGE
MaxRecipientsPerMessage
[infinite] If set, allows no more than the specified number of
recipients in an SMTP envelope. Further recipients receive a 452 error
code (i.e., they are deferred to the next delivery attempt).
Site policy: 10 - 100.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as:

Previous Faq:

Next Faq: