[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?

Florian Hubold doktor5000 at arcor.de
Wed Sep 28 14:40:46 CEST 2011 

Am 22.09.2011 21:37, schrieb Florian Hubold:
> Am 22.09.2011 00:09, schrieb Luc Menut:
>> Le 21/09/2011 20:35, Florian Hubold a écrit :
>>> Hello,
>>>
>>> during validation of validation of msec/sectool update candidates,
>>> a problem showed up: https://bugs.mageia.org/show_bug.cgi?id=1621
>> ...
>>>
>>> But if we want security reports to be sent to local users if they
>>> specify so, how to proceed further?
>>>
>>
>> msec can work very well without sending these reports by email; all the
>> security's reports are available in /var/log/security, and msec notifies the
>> user about this at each time it runs, so sendmail is absolutely not mandatory.
>> So I think that msec shouldn't have a Requires on sendmail-command,
>> eventually it can be a Suggest.
>>
>> But perhaps we could/should change the configuration of msec to not send
>> email by default, by adding MAIL_WARN=no in /etc/security/msec/security.conf.
>>
>>
> So, to summarize, there happen to be multiple solutions here:
>
>
> 1. do NOT require an MTA, let users manually read reports from /var/log/security
>     maybe even remove nail from msec Requires as it is currently non-functional.
>     Also Luc's proposal cited above could be realized.
>
> 2. do require sendmail-command, which will pose a problem to users
>     installing from the CLI, because they are presented with a choice:
>
>    One of the following packages is required:
>       1 dma
>       2 ssmtp
>       3 postfix
>       4 sendmail
>       5 msmtp
>    Please make a selection:
>
>     Additionally this will force an MTA onto every default installation and
> every
>     installation that currently has msec installed.
>
> 3. do require dma, which is a rather minimal MTA, and delivers without
> configuration
>     Please see https://bugs.mageia.org/show_bug.cgi?id=2255#c36 for details.
>     This would also allow coexistence with an already-installed MTA, IIUC.
>
> 4. Try to fix nail, which is required by msec and so in every default
> installation,
>     so that it is able to deliver mail by itself, without sendmail.
>
> Please give your votes.
>
>

After rereading the thread, i'm posting an excellent summary
from Derek Jennings, the original reporter of the msec/MTA issue:

Am 28.09.2011 11:14, schrieb Derek Jennings:
>
> I seem to have sparked off quite a discussion  on the dev list.
>
> Luc Menut made a very good point. If all these mails from msec started
> being actually delivered instead of going into the bit bucket, then users
> will be overwhelmed with emails they do not understand. As Claire
> mentioned in a previous posting msec **always** finds something in error
> which could alarm users. I can imagine the user forum being flooded with
> alarmed posts.
>
> My own opinion is we should do both 1 and 3 in your list of options
> 1/ Change the defaults in /etc/security/msec/level.*  and
> 3/ make dma a suggest for msec
>
> If these two changes were introduced as updates to Mageia 1 then the
> consequences would I believe be.
> a/ Users with default configuration :-
>
> Changing the defaults in /etc/security/msec/level.* will not affect an
> existing installation unless they change their security level.
>
> Mail would go into /var/spool/mail/root instead of /root/dead.letter  They
> probably would still not see the mail because they are unlikely to know
> how to configure another user to receive roots mail. The only change they
> would notice is when logging in at a root console they would see a message
> saying "You have new mail".
>
> b/ Users who have configured a real mail address in msec
> Installing dma as a require will cause these mails to actually start being
> delivered. Since the user has put the real mail address in the msec
> configuration we have to assume they actually want the mails to be
> delivered so that is a "good thing".  If their ISP will only accept mail
>   from a real MTA as mentioned by Frank Griffin then the message will not be
> delivered unless a relay host is defined in dma. Since they are already
> not being delivered nothing will have changed.
>
> c/ New users of Mageia 2
> Changing the defaults in /etc/security/msec/level.* will suppress emails
> other than to those users who have specifically requested them.
>
>
> Hope that helps
>
> Derek
>
>
So if nobody objects or sees other problem with this, i'll modify
the defaults in /etc/security/msec/level.* to not send email by default
and making dma a suggest for msec.

More information about the Mageia-dev mailing list