As many of us know, sendmail with the default setup, is a spammers delight.
I'm a newbie when it comes to sendmail, because I've been using Alt-N MDaemon Pro (for windows) and it does all of that for me.
I've been looking for a good tutorial on how to prevent the spam usage, but I havent found anything simple enough.

I was thinking of switching email servers to a more easy-to-use (and bloatware) server... unless I can get this fixed.

Any feedback is appreciated.

- Eric

What do you more 'professional' admins do to make sure that your mail server is locked down. What are your security solutions.. ?

I only allow relaying through authenticated SMTP over TLS/SSL (which is easily support by all mail clients that I've had to deal with), or by private addresses on my network. IMAP and POP3 over SSL. I've found many ISPs block smtp access heading off their network, so I run a SMTP server on 465 (smtps) which works great with our road warriors.
I hope that gives you some ideas. I'm running qmail so I know I won't be of any help on how to actually do this.

Kenny

Another option that can be tossed out there is POP before SMTP...

What do you mean by 'default setup'? When you compile sendmail 8.12.9 from the source (as you should do with any software anyway) and build the cf (properly) file from m4 sendmail is secure.

If you need to relay mails from various IPs like I suspect is the case; IMAP before SMTP, POP before SMTP, SMTP with SSL auth etc should work.

What I've found very nice and secure way is to establish ssh connection to your box and forward local port 25 to local port 25 (if windows: both putty and teraterm-ssh does port forwarding) and allow relaying from the localhost in sendmail (I think it's default anyway). Then, in your email client set up the outbound mail relay as localhost. Yes, there's an extra step to ssh to your server but many will do it anyway. This will also relay your emails securely at least between the client and the mail server

Risto

I don't like this solution for a couple reasons:

1. A primary reason to provide SMTP relaying is to support mobile users, i.e. notebooks without a fixed ISP. These users usually have multiple computers, so IMAP is often a better solution than POP.

2. POP by itself is insecure. Anyone sniffing the network can pick up usernames and passwords, so POP before SMTP not only exposes a user mailbox but also provides relaying. You would have to make sure to use POP over SSL or at least APOP.

I would second the authenticated SMTP recommendation. I tunnel through SSH myself, but that's burdensome for average users.

Roy

After googling for a while, I can't seem to find an easy way to enable authenticated SMTP. I can only find stuff related to SASL... I'm not sure if this is what I need. Any ideas?
Thanks,
- Eric

SMTP AUTH is based on SASL, so yes, I think that is what you need.

Yup, you will need sasl to authenticate users through sendmail. The good news is that if you have a recent version of RedHat, it's either already there or easy to add. If you are running redhat and you want some help, I'd be glad to assist. I currently run RedHat 9 with POP/IMAP/SMTP all authenticated to sasl and only allowing users using encryption to connect. It's been working great for me, and I've never had a single SPAM bounced off my server. Lots of attempts, but never one getting through.

--James