Sendmail Open Source
Email Security and Protection
The sendmail Sentrion platform is specifically designed for large, complex environments, but we make a subset of that solution available as an open-source offering. Sentrion is not for everyone, but if you are using open source email for a large complex environment and need an enterprise platform that will enable your messaging roadmap for years to come (virtualization, consolidation, cloud migration, etc.), speak with a specialist to see if Sendmail Sentrion is right for you.
Current Sendmail Open Source Release
Security advisories are issued by The Computer Emergency Response Team CERT. Sendmail server related security problems should be sent to:
Replace YYYY with the current year, e.g., 2015. This address is only for reporting security problems in sendmail. When reporting security problems, please use PGP-the public key is available in the file PGPKEYS of the sendmail distribution.
Please do not use this address to report problems that are not related to the security of the sendmail server. Questions about avoiding spam risk, how to set up your own certificate authorities, etc. should be posted in comp.mail.sendmail, and Unix-related security in the comp.security.unix newsgroup.
All sendmail distributions are signed with a PGP key named "Sendmail Signing Key/YYYY" where YYYY is the year of release.
|Sendmail Signing Keys
|8AB0 63D7 A4C5 939D A9C0 1E38 C406 5A87 C71F 6844
|8186 4A03 75F2 7810 64FE 8E4D CFF9 F967 40ED 9550
|6327 DDCB 5E7E 80E4 987E A3B7 FD79 DC0C 81D9 210A
|F4CE 2263 2102 53D6 A9F9 79B0 4C66 EA8D 4BEE 1BEE
|ADFD B709 FE1E A682 E585 5971 D583 210E F514 71A7
|50A3 0309 8EA2 DD7B CBEE 2ADA 09E0 1FA0 3C0C 504E
|A687 3D24 A4D6 D628 4AE4 2A75 F060 59FD 5DC7 CC3F
|3C8A 1E8E 7F44 CADE 114F ED46 4BC9 BDA6 6BF7 26AD
|0F5C 96AE C8E6 9E9C 8E54 2E5C 6D4C D194 29FB 03DE
|30BC A747 05FA 4154 5573 1D7B AAF5 B5DE 05BD CC53
|49F6 A8BE 8473 3949 5191 6F3B 61DE 11EC E276 3A73
|B87D 4569 86F1 9484 07E5 CCB4 3D68 B25D 5207 CAD3
|CA7A 8F39 A241 9FFF B0A9 AB27 8E5A E9FB CEEE F43B
|5872 6218 A913 400D E660 3601 39A4 C77D A978 84B0
|B175 9644 5303 5DCE DD7B E919 604D FBF2 8541 0ABE
|33 3A 62 61 2C F3 21 AA 4E 87 47 F2 2F 2C 40 4D
|07 FB 9A F9 F7 94 4B E4 0F 28 D1 8E 23 6F A2 B0
|D9 FD C5 6B EE 1E 7A A8 CE 27 D9 B9 55 8B 56 B6
|E3 F4 97 BC 9F DF 3F 1D 9B 0D DF D5 77 9A C9 79
If the signature does not match any of these keys, you may have a forgery.
|Sendmail Signing Keys
|4B 38 0E 0B 41 E8 FC 79 E9 7E 82 9B 04 23 EC 8A
|46 FE 81 99 48 75 30 B1 3E A9 79 43 BB 78 C1 D4
|C4 73 DF 4A 97 9C 27 A9 EE 4F B2 BD 55 B5 E0 0F
|7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
|59 AF DC 3E A2 7D 29 56 89 FA 25 70 90 0D 7E C1
|81 8C 58 EA 7A 9D 7C 1B 09 78 AC 5E EB 99 08 5D
|25 73 4C 8E 94 B1 E8 EA EA 9B A4 D6 00 51 C3 71
Used for: 8.9.3
|F9 32 40 A1 3B 3A B6 DE B2 98 6A 70 AF 54 9D 26
Used for: 8.9.0 through 8.9.2
|CA AE F2 94 3B 1D 41 3C 94 7B 72 5F AE 0B 6A 11
Used for: 8.8.6 through 8.8.8
|Prior to sendmail 8.8.6,
distributions were signed
by Eric Allman.
|C0 28 E6 7B 13 5B 29 02 6F 7E 43 3A 48 4F 45 29
These addresses are for contributing patches or reporting problems about V8 sendmail. The members of these lists do not have the resources to support vendor versions. Before sending to any of these addresses, please check the FAQ and the files README, sendmail/README (on this web-site as Compiling Sendmail) and cf/README (on this web-site as the Configuration README pages) to see if they are already answered; about half of the questions received can be answered in this way.
- Do not send us mail in HTML format, use plain text only (even multipart/alternative with an HTML part will be classified as spam by some of our members and hence an answer will most likely be delayed).
- Do not use 8bit characters in the Subject: nor use some encoding, e.g., =?GB2312?B?, but only plain 7bit ASCII without any charset encoding.
- If you send e-mail to sendmail.org, the answer will most likely not come from a system in the sendmail.org domain. If you use some anti-spam techniques (e.g., challenge-response systems) or you block hosts that are connected via DSL then please do not expect an answer. More and more often replies are blocked which is very annoying. Do not block this address or make sure that your system accepts at least STARTTLS secured mail. A list of IPs is available in the sendmail.org SPF record.
- If you use a challenge/response system, make sure that it does NOT send us a challenge when we reply to your question or when you receive mail from the announce list. We will not reply to those annoying mails.
- If you are using the blacklist from spamlist.org then please do not send us e-mail, the reply of the sendmail maintainer will not reach you.
- Do not send us mail in proprietary formats.
- The mailservers for support.sendmail.org now (2004-11-24) use the following DNSBLs:
- The mailserver for support.sendmail.org performs strict RFC checks, for example, it does not accept mail if the domain part has an MX record that points to an IP address (instead of hostname as required).
If you have a question about sendmail, then please post it to the Usenet group comp.mail.sendmail. This newsgroup is dedicated to sendmail. Please make sure you check the usual resources before posting and follow the netiquette.
E-mail addresses to contact sendmail.org are (do not send questions about sendmail to these addresses, see above instead; replace YYYY with the current year, e.g., 2006, in all of these addresses):
- sendmail-YYYY@support.sendmail.org for contributing patches, feature requests, and general comments but not questions how to use, install, or configure sendmail;
- sendmail-bugs-YYYY@support.sendmail.org to report implementation bugs;
- sendmail-faq-YYYY@support.sendmail.org only for comments / questions about the FAQ. Please mark your mail clearly with "FAQ: item" where item is the entry in the faq to which you are referring. If it is a general comment about the FAQ, use "FAQ: general", if it is an addition, use "FAQ: new".
- sendmail-security-YYYY@support.sendmail.org (use this only to report related bugs or problems in sendmail). Please do not use this to ask about problems with your configuration, including how to stop spam, how to set up your own certificate authority, how to make sendmail work with S/MIME, etc. All such questions should be asked in comp.mail.sendmail. Also, please do not tell us that you were able to forge mail by using telnet to connect to port 25; this is fundamental to the Internet design for SMTP, and not a sendmail bug. Please use encryption to send mail to this address.
- sendmail-mirror-YYYY@support.sendmail.org for updates about a mirror (e.g., a new mirror or an address change).
- webmaster-YYYY@support.sendmail.org for comments about the website.
These are not open lists, meaning that subscription is by invitation only.
The Domain Keys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender’s domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization’s brand and reputation at a relatively low implementation cost.
DKIM has been approved by the IETF as a draft standard (RFC 4871). The protocol was developed through the cooperation of Sendmail, Cisco Systems and Yahoo!
Since being approved by the IETF, a new open source project was started. The OpenDKIM Project is a community effort to develop and maintain a C library for producing DKIM-aware applications and an open source milter for providing DKIM service.
The project started from a code fork of version 2.8.3 of the open source dkim-milter package developed and maintained by Sendmail, Inc.