Comment 8 for bug 482080

I'd even recommend to restrict it a bit more:

  owner /tmp/antispam-mail*/ rw,
  owner /tmp/antispam-mail*/* rwkl,

sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea.

I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup.