We would like to enable SQL Mail on SQL Servers. We currently have no way to send e-mails/pages for alerts, etc., for the SQL Server databases. I would like to configure and enable SQL Mail on these servers. I have heard about a security risk associated with this feature. Can you fill me in on the details?
Because it uses a powerful extended stored procedure (XP_sendmail) there exists the possibility for privileged escalation by using SQL Mail. More to the point, however, it seems like an awful lot of overhead just to send a simple e-mail -- you have to have a MAPI-complaint mail client (such as Outlook) on your SQL server! No thanks, in my book. You want to keep your SQL servers as lean as possible -- no Windows Media Player, iTunes, or Solitaire. You don't want to add confusion (and a new vulnerability vector) by adding contact management solutions such as Outlook (count how many Outlook vulns there have been over the years) to your pristine database environment. A much better solution would be to use a COM object or DLL that has no dependencies on other applications, but rather just speaks directly to an SMTP server and shoots the mail out that way without any overhead. One such solution (certainly not the only one) is XPSMTP.DLL by SQLDEV.NET. You can grab version 184.108.40.206
Do you have comments on this Ask the Expert Q&A? Let us know.