Problem solve Get help with specific problems with your technologies, process and projects.

Enabling SQL Mail on SQL Server

Expert Steven Andres describes why you should not enable SQL Mail on SQL Servers and the security risk associated with this feature.

We would like to enable SQL Mail on SQL Servers. We currently have no way to send e-mails/pages for alerts, etc., for the SQL Server databases. I would like to configure and enable SQL Mail on these servers. I have heard about a security risk associated with this feature. Can you fill me in on the details?
Because it uses a powerful extended stored procedure (XP_sendmail) there exists the possibility for privileged escalation by using SQL Mail. More to the point, however, it seems like an awful lot of overhead just to send a simple e-mail -- you have to have a MAPI-complaint mail client (such as Outlook) on your SQL server! No thanks, in my book. You want to keep your SQL servers as lean as possible -- no Windows Media Player, iTunes, or Solitaire. You don't want to add confusion (and a new vulnerability vector) by adding contact management solutions such as Outlook (count how many Outlook vulns there have been over the years) to your pristine database environment. A much better solution would be to use a COM object or DLL that has no dependencies on other applications, but rather just speaks directly to an SMTP server and shoots the mail out that way without any overhead. One such solution (certainly not the only one) is XPSMTP.DLL by SQLDEV.NET. You can grab version here.

Do you have comments on this Ask the Expert Q&A? Let us know.

Dig Deeper on SQL Server Security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.