[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?

Thu Sep 22 23:11:19 CEST 2011

Florian Hubold a écrit :
> Am 22.09.2011 00:09, schrieb Luc Menut:
>> Le 21/09/2011 20:35, Florian Hubold a écrit :
>>> Hello,
>>>
>>> during validation of validation of msec/sectool update candidates,
>>> a problem showed up: https://bugs.mageia.org/show_bug.cgi?id=1621
>> ...
>>> But if we want security reports to be sent to local users if they
>>> specify so, how to proceed further?
>>
>> msec can work very well without sending these reports by email; all
>> the security's reports are available in /var/log/security, and msec
>> notifies the user about this at each time it runs, so sendmail is
>> absolutely not mandatory.
>> So I think that msec shouldn't have a Requires on sendmail-command,
>> eventually it can be a Suggest.
>>
>> But perhaps we could/should change the configuration of msec to not
>> send email by default, by adding MAIL_WARN=no in
>> /etc/security/msec/security.conf.
>>
> So, to summarize, there happen to be multiple solutions here:
>
> 1. do NOT require an MTA, let users manually read reports from
> /var/log/security
> maybe even remove nail from msec Requires as it is currently
> non-functional.

Reading from /var/log/security is not especially user-friendly, and will be 
ignored by less savy users.

> Also Luc's proposal cited above could be realized.

see below.

> 2. do require sendmail-command, which will pose a problem to users
> installing from the CLI, because they are presented with a choice:
>
> One of the following packages is required:
> 1 dma
> 2 ssmtp
> 3 postfix
> 4 sendmail
> 5 msmtp
> Please make a selection:
>
> Additionally this will force an MTA onto every default installation and
> every
> installation that currently has msec installed.

Solution 3 avoids the complication of choosing, with virtually no disadvantage.

> 3. do require dma, which is a rather minimal MTA, and delivers without
> configuration
> Please see https://bugs.mageia.org/show_bug.cgi?id=2255#c36 for details.
> This would also allow coexistence with an already-installed MTA, IIUC.

(dragonfly mail agent)
If this works, I'd say that it is the best solution, since it is very compact 
(64k), and virtually every system will have the DNS it requires installed.
(Unless of course they don't have Internet or network access.  In which case 
msec would not be particularly important.)
Note that it is only at version 0.2 (or 0.3 upstream), so we should test it 
carefully.

> 4. Try to fix nail, which is required by msec and so in every default
> installation,
> so that it is able to deliver mail by itself, without sendmail.

Solution #3 seems much better in every respect.

> Please give your votes.

Solution 3, with changes/verifications noted below.
Since it is much simpler for the end-user to always have the capability to send 
security alerts if an email address is entered, without installing anything extra.

There are 2 options at the bottom of the first security page of msec, which 
should already realise Luc's proposals.  They may have to be fixed.

a) An option to send a security alert by email, where one enters the email 
address.  By default it is checked.
However, if no valid format email address is entered, an email should _not_ be 
sent.
As well, we should display something similar to
"(Enter {userid}@localhost for a local user.)",
  to help ensure that the user enters a valid local address.
(Note that there are multi-line descriptions for all the other options above on 
the same page, so this would fit nicely.)

b) An option to display security alerts on the desktop.  Again, checked by 
default.  They should probably remain visible until the user dismisses them. 
(They currently display for a few seconds, then disappear.)

My 2 cents :)

-- 
André