Sendmail Open Source

Email Security and Protection


The sendmail Sentrion platform is specifically designed for large, complex environments, but we make a subset of that solution available as an open-source offering. Sentrion is not for everyone, but if you are using open source email for a large complex environment and need an enterprise platform that will enable your messaging roadmap for years to come (virtualisation, consolidation, cloud migration, etc.), speak with a specialist to see if Sendmail Sentrion is right for you.

Current Sendmail Open Source Release

Sendmail 8.16.1 is available from ftp.sendmail.org. The release has a gzipped tar file and a PGP signature file. The compressed/gzipped tar files are signed by the 2020 signing key PGP signature file. See the Security and PGP Signing Keys section for more information about how releases are signed. 

Important: Before downloading, please review the sendmail licensing terms.

Security and PGP Signing Keys

Security advisories are issued by The Computer Emergency Response Team CERT. Sendmail server related security problems should be sent to:

sendmail-security-YYYY@support.sendmail.org

Replace YYYY with the current year, e.g., 2015. This address is only for reporting security problems in sendmail. When reporting security problems, please use PGP-the public key is available in the file PGPKEYS of the sendmail distribution.

Please do not use this address to report problems that are not related to the security of the sendmail server. Questions about avoiding spam risk, how to set up your own certificate authorities, etc. should be posted in comp.mail.sendmail, and Unix-related security in the comp.security.unix newsgroup.

All sendmail distributions are signed with a PGP key named "Sendmail Signing Key/YYYY" where YYYY is the year of release.

Signing Keys

Sendmail Signing Keys Fingerprint
2024 8AB0 63D7 A4C5 939D A9C0  1E38 C406 5A87 C71F 6844
2023 8186 4A03 75F2 7810 64FE  8E4D CFF9 F967 40ED 9550
2022 6327 DDCB 5E7E 80E4 987E  A3B7 FD79 DC0C 81D9 210A
2021 F4CE 2263 2102 53D6 A9F9 79B0 4C66 EA8D 4BEE 1BEE
2020 ADFD B709 FE1E A682 E585 5971 D583 210E F514 71A7
2019 50A3 0309 8EA2 DD7B CBEE 2ADA 09E0 1FA0 3C0C 504E
2018 A687 3D24 A4D6 D628 4AE4 2A75 F060 59FD 5DC7 CC3F
2017 3C8A 1E8E 7F44 CADE 114F ED46 4BC9 BDA6 6BF7 26AD
2016 0F5C 96AE C8E6 9E9C 8E54 2E5C 6D4C D194 29FB 03DE
2015 30BC A747 05FA 4154 5573 1D7B AAF5 B5DE 05BD CC53
2014 49F6 A8BE 8473 3949 5191 6F3B 61DE 11EC E276 3A73
2013 B87D 4569 86F1 9484 07E5 CCB4 3D68 B25D 5207 CAD3
2012 CA7A 8F39 A241 9FFF B0A9 AB27 8E5A E9FB CEEE F43B
2011 5872 6218 A913 400D E660 3601 39A4 C77D A978 84B0
2010 B175 9644 5303 5DCE DD7B E919 604D FBF2 8541 0ABE
2009 33 3A 62 61 2C F3 21 AA 4E 87 47 F2 2F 2C 40 4D
2008 07 FB 9A F9 F7 94 4B E4 0F 28 D1 8E 23 6F A2 B0
2007 D9 FD C5 6B EE 1E 7A A8 CE 27 D9 B9 55 8B 56 B6
2006 E3 F4 97 BC 9F DF 3F 1D 9B 0D DF D5 77 9A C9 79

 

If the signature does not match any of these keys, you may have a forgery.

Older Releases

Sendmail Signing Keys Fingerprint
2005 4B 38 0E 0B 41 E8 FC 79 E9 7E 82 9B 04 23 EC 8A
2004 46 FE 81 99 48 75 30 B1 3E A9 79 43 BB 78 C1 D4
2003 C4 73 DF 4A 97 9C 27 A9 EE 4F B2 BD 55 B5 E0 0F
2002 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
2001 59 AF DC 3E A2 7D 29 56 89 FA 25 70 90 0D 7E C1
2000 81 8C 58 EA 7A 9D 7C 1B 09 78 AC 5E EB 99 08 5D
1999 25 73 4C 8E 94 B1 E8 EA EA 9B A4 D6 00 51 C3 71
Used for: 8.9.3
1998 F9 32 40 A1 3B 3A B6 DE B2 98 6A 70 AF 54 9D 26
Used for: 8.9.0 through 8.9.2
1997 CA AE F2 94 3B 1D 41 3C 94 7B 72 5F AE 0B 6A 11
Used for: 8.8.6 through 8.8.8
Prior to sendmail 8.8.6,
distributions were signed
by Eric Allman.
C0 28 E6 7B 13 5B 29 02 6F 7E 43 3A 48 4F 45 29

Contact Us

These addresses are for contributing patches or reporting problems about V8 sendmail. The members of these lists do not have the resources to support vendor versions. Before sending to any of these addresses, please check the FAQ and the files README, sendmail/README (on this web-site as Compiling Sendmail) and cf/README (on this web-site as the Configuration README pages) to see if they are already answered; about half of the questions received can be answered in this way.

Notes

  • Do not send us mail in HTML format, use plain text only (even multipart/alternative with an HTML part will be classified as spam by some of our members and hence an answer will most likely be delayed).
  • Do not use 8bit characters in the Subject: nor use some encoding, e.g., =?GB2312?B?, but only plain 7bit ASCII without any charset encoding.
  • If you send e-mail to sendmail.org, the answer will most likely not come from a system in the sendmail.org domain. If you use some anti-spam techniques (e.g., challenge-response systems) or you block hosts that are connected via DSL then please do not expect an answer. More and more often replies are blocked which is very annoying. Do not block this address or make sure that your system accepts at least STARTTLS secured mail. A list of IPs is available in the sendmail.org SPF record.
  • If you use a challenge/response system, make sure that it does NOT send us a challenge when we reply to your question or when you receive mail from the announce list. We will not reply to those annoying mails.
  • If you are using the blacklist from spamlist.org then please do not send us e-mail, the reply of the sendmail maintainer will not reach you.
  • Do not send us mail in proprietary formats.
  • The mailservers for support.sendmail.org now (2004-11-24) use the following DNSBLs:
    • sbl-xbl.spamhaus.org
    • dnsbl.sorbs.net
    • list.dsbl.org
    • bl.spamcop.net
  • The mailserver for support.sendmail.org performs strict RFC checks, for example, it does not accept mail if the domain part has an MX record that points to an IP address (instead of hostname as required).

If you have a question about sendmail, then please post it to the Usenet group comp.mail.sendmail. This newsgroup is dedicated to sendmail. Please make sure you check the usual resources before posting and follow the netiquette.

E-mail addresses to contact sendmail.org are (do not send questions about sendmail to these addresses, see above instead; replace YYYY with the current year, e.g., 2006, in all of these addresses):

  • sendmail-YYYY@support.sendmail.org for contributing patches, feature requests, and general comments but not questions how to use, install, or configure sendmail;
  • sendmail-bugs-YYYY@support.sendmail.org to report implementation bugs;
  • sendmail-faq-YYYY@support.sendmail.org only for comments / questions about the FAQ. Please mark your mail clearly with "FAQ: item" where item is the entry in the faq to which you are referring. If it is a general comment about the FAQ, use "FAQ: general", if it is an addition, use "FAQ: new".
  • sendmail-security-YYYY@support.sendmail.org (use this only to report related bugs or problems in sendmail). Please do not use this to ask about problems with your configuration, including how to stop spam, how to set up your own certificate authority, how to make sendmail work with S/MIME, etc. All such questions should be asked in comp.mail.sendmail. Also, please do not tell us that you were able to forge mail by using telnet to connect to port 25; this is fundamental to the Internet design for SMTP, and not a sendmail bug. Please use encryption to send mail to this address.
  • sendmail-mirror-YYYY@support.sendmail.org for updates about a mirror (e.g., a new mirror or an address change).
  • webmaster-YYYY@support.sendmail.org for comments about the website.

These are not open lists, meaning that subscription is by invitation only.

DKIM

The Domain Keys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender’s domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization’s brand and reputation at a relatively low implementation cost.

DKIM has been approved by the IETF as a draft standard (RFC 4871). The protocol was developed through the cooperation of Sendmail, Cisco Systems and Yahoo!

Since being approved by the IETF, a new open source project was started. The OpenDKIM Project is a community effort to develop and maintain a C library for producing DKIM-aware applications and an open source milter for providing DKIM service.

The project started from a code fork of version 2.8.3 of the open source dkim-milter package developed and maintained by Sendmail, Inc.

The Sendmail Sentrion Message Processing Engine comes standard with OpenDKIM. More information is available at opendkim.org and dkim.org

List of Mirrors
Learn More
How to Mirror
Learn More