sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea.
I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup.
I'd even recommend to restrict it a bit more:
owner /tmp/antispam- mail*/ rw, mail*/* rwkl,
owner /tmp/antispam-
sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are not needed for "just" sending a mail might be a good idea.
I won't object if you provide a generic sendmail profile that we can Px into (feel free to use the child profile in dovecot-lda as a base), but that needs much more testing before shipping and enforcing it in the default setup.