We would like to enable SQL Mail on SQL Servers. We currently have no way to send e-mails/pages for alerts, etc., for the SQL Server databases. I would like to configure and enable SQL Mail on these servers. I have heard about a security risk associated with this feature. Can you fill me in on the details?
Because it uses a powerful extended stored procedure (XP_sendmail) there exists the possibility for privileged escalation by using SQL Mail. More to the point, however, it seems like an awful lot of overhead just to send a simple e-mail -- you have to have a MAPI-complaint mail client (such as Outlook) on your SQL server! No thanks, in my book. You want to keep your SQL servers as lean as possible -- no Windows Media Player, iTunes, or Solitaire. You don't want to add confusion (and a new vulnerability vector) by adding contact management solutions such as Outlook (count how many Outlook vulns there have been over the years) to your pristine database environment. A much better solution would be to use a COM object or DLL that has no dependencies on other applications, but rather just speaks directly to an SMTP server and shoots the mail out that way without any overhead. One such solution (certainly not the only one) is XPSMTP.DLL by SQLDEV.NET. You can grab version 188.8.131.52
Do you have comments on this Ask the Expert Q&A? Let us know.
Dig Deeper on SQL Server Security
Find how to create a SQL Server 2000 login account and then set user account rights to specific databases with "db_owner."
Learn why SQL Server 2000 connection is lost on the client side when database administrator changes 'SA' password on the SQL Server domain.
Learn how to create a SQL Server user authentication schema having password and tracked data changes requirements and how it involves Windows ...
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.