≡ Menu

Sendmail Limiting Denial of Service (DOS) Attack

Q. I would like to know configuration directives that will limit Sendmail Denial of Service attack.

A. Sendmail is a mail transfer agent (MTA) i.e. that transfers electronic mail messages from one computer to another. It is possible that attacker can flood the mail server with DOS (it is an attack in which no access to the system(s) is gained, but rather a loss of service is incurred i.e. your mail server will die) attack.

To avoid DOS against Sendmail server it comes with directives that can be configured via sendmail.mc macro file.

Sendmail used in various UNIX and Linux environments.

From Sendmail:

All descriptions are structured in the following way
M4 Variable Name/ Configuration/ Description & [Default]/Recommendation:

[100] Minimum number of free blocks on queue filesystem to accept SMTP
mail. (Prior to 8.7, this was minfree/maxsize, where minfree was the
number of free blocks and maxsize was the maximum message size. In
current versions of sendmail, use confMAX_MESSAGE_SIZE for the second
Recommended: 4000 or larger.

[infinite] The maximum size of messages that will be accepted (in
Recommended: 4MB (?)

[False] Automatically rebuild alias file if needed. There is a potential
for a denial of service attack if this is set.
Set to False.

[varies] Load average at which queue-only function kicks in. Default
value is (8 * numproc), where numproc is the number of processors online
(if that can be determined).
Set to 10 (depending on CPU power).

[varies] Load average at which incoming SMTP connections are refused.
Default value is (12 * numproc), where numproc is the number of
processors online (if that can be determined).
Set to 8 (depending on CPU power).

[undefined] The maximum number of children the daemon will permit. After
this number, connections will be rejected. If not set or confMAX_HEADERS_LENGTH
[undefined] Maximum length of the sum of all headers.
Set to 32 or 64K

[undefined] Maximum length of certain MIME header field values.
Set to 1024 or less.

[infinite] If set, allows no more than the specified number of
recipients in an SMTP envelope. Further recipients receive a 452 error
code (i.e., they are deferred to the next delivery attempt).
Site policy: 10 – 100.

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:

{ 0 comments… add one }

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">

   Tagged with: