SMRSH ALONE IS NOT A SECURE SOLUTION Regarding smrsh, it is only as secure as you can make it. By specifying no programs, you might as well make the prog mailer /bin/false. By specifying everything, you might was well not in have smrsh. The problem is the borderline: procmail and filter, two popular mail filtering programs (the latter of which comes with elm, so you might not even be aware you have installed it), allow you to perform any command upon any their input, and you can control what rules file they access from the command line. This means that an envelope From could be: MAIL FROM: /usr/local/bin/filter -f /tmp/filt And /tmp/filt, the elm filter rules file, could be: if always execute /usr/ucb/tail|/bin/sh And then you're back to square one, once a cracker discovers this. I don't think it's necessary to do a full example for this one; merely change the MAIL FROM: line in my telnet example and this will work. It should be noted that the smrsh procmail/filter holes require the cracker to have write access to a your machine in a place readable by uid daemon. Therefore, IF YOU USE AN UNMODIFIED SMRSH, YOUR SENDMAIL IS STILL VULNERABLE!!!