SQLMail security concerns | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

SQLMail security concerns

Hi all, I am looking at setting up SQLmail to allow for automated reactive emails based on certain events, as well as reporting based on certain conditions – for example queue lengths > 20 for one of our applications (simple select from a table). However, there is quite a bit of pushback due to concerns regards SQLmail security. In the bad old days of SQL7 sa "blank" default, I can see that this would be a big concern, but with a properly secured SA password (which no-one uses) and a normal domain user that has local admin and sign-on as service rights on the SQL server to run the SQL server, what issues are there ? My understanding of the main "concerns" are largely 2 categories: Viruses, trojans etc. from incoming mail.
An attacker using SQL to do mass mailing etc. Are there others? Panic, Chaos, Disorder … my work here is done –unknown
Install Virus scanner on the Exchange server in order to track any virus attacks. And get instant updates on all the security alerts issued by MS from herehttp://www.microsoft.com/security/bulletins/alerts.mspx Disable SQL Mail capability unless absolutely necessary. Leaving it open gives a potential attacker another means of delivering potential trojans, viruses, or simply launching a particularly nasty denial of service attack. And refer to this KBAhttp://support.microsoft.com/default.aspx?kbid=263556 for general information on SQLMail alongwith setup. Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS” with no rights for the sake of knowledge sharing.
Hi Satya, Thanks for the response. I am reviewing what it is we want to achieve here, and doing a re-think about how we will achieve it – think along the lines of: 1st thing is to identify the pro#%92s and con#%92s to using SQLMail: 2nd thing is to identify what we want to achieve using this: 3rd things is to identify potential alternatives, and describe their abilities and map these to the pro#%92s and con#%92s of SQLMail (point 1), and the facilities we are trying to establish (point 2) 4th would be to note potential future path#%92s, impacts etc. So I guess I’ll be hitting the forums a bit on what people have done and have used, for example CDO etc. CiaO 4 NoW Panic, Chaos, Disorder … my work here is done –unknown
Due to limitations and if you’re concerned about security threat using SQL Mail then you can always deploy the CDO method in order to get the task accomplished. But you can overcome certain threats by keeping the environment upto date by liasing with MS Security updates on OS, SQL , Exchange Server etc. We never had such issues with SQL Mail or using CDO (in certain services), only the part is to look for security setup and how you control the mailing pattern. I would definetly expect fellow peers comments, to expose their experiences so far. Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS” with no rights for the sake of knowledge sharing.
I’ve been using SQLMail for years now and have never had any security problems. I lock my SQL Servers down tight though, keep them patched, and monitor regularly for "undesired" behavior. The only problem I have with SQLMail, which they’re addressing in Yukon, is using MAPI still. Give me a freaking break….MAPI???? It’s unreliable; and everytime they monkey with Exchange I end up going in and restarting all the SQLMail services to make sure they still work. Other then that, I haven’t had any problems. We do also use CDO mail. It’s a pretty nice solution. It does introduce another variable into the environment that needs monitored though. MeanOldDBA
[email protected] When life gives you a lemon, fire the DBA.
]]>