Information
On AIX, unless otherwise needed - uninstall or disable sendmail support.
ALSO: if the version installed does not display support for SASLv2 - remove sendmail on AIX 7.2 and chmod to 0 (zero) otherwise.
Rationale:
Maintaining a secure sendmail MTA (mail transfer agent) is a complex process. While, historically, *NIX systems have run a (localhost) MTA (mail transmission agent) or MSP (mail submission program) - there is no real need these days for every system to have this software installed.
Note: Historically, the AIX sendmail build has not supported the AUTH feature. Since AIX 7.2 TL4 a new packaging of sendmail (still as version 8.15.2, so version number is not the way to verify suitability) allows AUTH support indirectly via the SASLv2 (Simple Authentication and Security Layer) API interface. Our recommendation is to disable/remove sendmail programs that do not provide SASLv2 support.
Impact:
If not installed, the rest of the recommendations in this section titled Sendmail Configuration may be ignored.
Applications configured to speak to a localhost MTA or MSP may fail to send mail. These applications should be (re-)configured to use STARTTLS or SSL and send their mail messages via a hardened MTA host.
Solution
Execute the following command:
(lslpp -Lcq bos.net.tcp.sendmail >/dev/null && installp -u bos.net.tcp.sendmail) ||
echo bos.net.tcp.sendmail is not installed
# If AIX 7.1 or thirdparty software, i.e., fileset bos.net.tcp.sendmail does not exist but sendmail does ...
if test -e /usr/sbin/sendmail ; then
(/usr/sbin/sendmail -d0 </dev/null | grep SASLv2 >/dev/null) ||
chmod a= /usr/sbin/sendmail
trustchk -u /usr/sbin/sendmail mode
fi