Details
In Solaris 11, the sendmail service is set to local only mode by default. This means that
users on remote systems cannot connect to the sendmail service, eliminating the
possibility of a remote exploit attack against some future sendmail vulnerability. Leaving
sendmail in local-only mode permits mail to be sent out from the local system. If the local
system will not be processing or sending any mail, this service can be disabled.
However, if sendmail is disabled completely, email messages sent to the root account (such
as cron job output or audit service warnings) will fail to be delivered.
An alternative approach is to disable the sendmail service and create a cron job to process
all mail that is queued on the local system, sending it to a relay host defined in the
sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is
a specific requirement to completely disable it.
Rationale:
The software for all Mail Transfer Agents is complex and most have a long history of
security issues. While it is important to ensure that the system can process local mail
messages, it is not necessary to have the MTA’s daemon listening on a port unless the
server is intended to be a mail server that receives and processes mail from other systems.
Solution
To disable this service, run the following command:
# svcadm disable svc:/application/graphical-login/gdm:default
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.