Sendmail Limiting Denial of Service (DOS) Attack

Posted on in Categories last updated May 1, 2006

Q. I would like to know configuration directives that will limit Sendmail Denial of Service attack.

A. Sendmail is a mail transfer agent (MTA) i.e. that transfers electronic mail messages from one computer to another. It is possible that attacker can flood the mail server with DOS (it is an attack in which no access to the system(s) is gained, but rather a loss of service is incurred i.e. your mail server will die) attack.

To avoid DOS against Sendmail server it comes with directives that can be configured via macro file.

Sendmail used in various UNIX and Linux environments.

From Sendmail:

All descriptions are structured in the following way
M4 Variable Name/ Configuration/ Description & [Default]/Recommendation:

[100] Minimum number of free blocks on queue filesystem to accept SMTP
mail. (Prior to 8.7, this was minfree/maxsize, where minfree was the
number of free blocks and maxsize was the maximum message size. In
current versions of sendmail, use confMAX_MESSAGE_SIZE for the second
Recommended: 4000 or larger.

[infinite] The maximum size of messages that will be accepted (in
Recommended: 4MB (?)

[False] Automatically rebuild alias file if needed. There is a potential
for a denial of service attack if this is set.
Set to False.

[varies] Load average at which queue-only function kicks in. Default
value is (8 * numproc), where numproc is the number of processors online
(if that can be determined).
Set to 10 (depending on CPU power).

[varies] Load average at which incoming SMTP connections are refused.
Default value is (12 * numproc), where numproc is the number of
processors online (if that can be determined).
Set to 8 (depending on CPU power).

[undefined] The maximum number of children the daemon will permit. After
this number, connections will be rejected. If not set or confMAX_HEADERS_LENGTH
[undefined] Maximum length of the sum of all headers.
Set to 32 or 64K

[undefined] Maximum length of certain MIME header field values.
Set to 1024 or less.

[infinite] If set, allows no more than the specified number of
recipients in an SMTP envelope. Further recipients receive a 452 error
code (i.e., they are deferred to the next delivery attempt).
Site policy: 10 – 100.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.