[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?

Thu Sep 22 23:11:19 CEST 2011

Florian Hubold a écrit :
+> Am 22.09.2011 00:09, schrieb Luc Menut:
+>> Le 21/09/2011 20:35, Florian Hubold a écrit :
+>>> Hello,
+>>>
+>>> during validation of validation of msec/sectool update candidates,
+>>> a problem showed up: https://bugs.mageia.org/show_bug.cgi?id=1621
+>> ...
+>>> But if we want security reports to be sent to local users if they
+>>> specify so, how to proceed further?
+>>
+>> msec can work very well without sending these reports by email; all
+>> the security's reports are available in /var/log/security, and msec
+>> notifies the user about this at each time it runs, so sendmail is
+>> absolutely not mandatory.
+>> So I think that msec shouldn't have a Requires on sendmail-command,
+>> eventually it can be a Suggest.
+>>
+>> But perhaps we could/should change the configuration of msec to not
+>> send email by default, by adding MAIL_WARN=no in
+>> /etc/security/msec/security.conf.
+>>
+> So, to summarize, there happen to be multiple solutions here:
+>
+> 1. do NOT require an MTA, let users manually read reports from
+> /var/log/security
+> maybe even remove nail from msec Requires as it is currently
+> non-functional.
+
+Reading from /var/log/security is not especially user-friendly, and will be 
+ignored by less savy users.
+
+> Also Luc's proposal cited above could be realized.
+
+see below.
+
+> 2. do require sendmail-command, which will pose a problem to users
+> installing from the CLI, because they are presented with a choice:
+>
+> One of the following packages is required:
+> 1 dma
+> 2 ssmtp
+> 3 postfix
+> 4 sendmail
+> 5 msmtp
+> Please make a selection:
+>
+> Additionally this will force an MTA onto every default installation and
+> every
+> installation that currently has msec installed.
+
+Solution 3 avoids the complication of choosing, with virtually no disadvantage.
+
+> 3. do require dma, which is a rather minimal MTA, and delivers without
+> configuration
+> Please see https://bugs.mageia.org/show_bug.cgi?id=2255#c36 for details.
+> This would also allow coexistence with an already-installed MTA, IIUC.
+
+(dragonfly mail agent)
+If this works, I'd say that it is the best solution, since it is very compact 
+(64k), and virtually every system will have the DNS it requires installed.
+(Unless of course they don't have Internet or network access.  In which case 
+msec would not be particularly important.)
+Note that it is only at version 0.2 (or 0.3 upstream), so we should test it 
+carefully.
+
+> 4. Try to fix nail, which is required by msec and so in every default
+> installation,
+> so that it is able to deliver mail by itself, without sendmail.
+
+Solution #3 seems much better in every respect.
+
+> Please give your votes.
+
+Solution 3, with changes/verifications noted below.
+Since it is much simpler for the end-user to always have the capability to send 
+security alerts if an email address is entered, without installing anything extra.
+
+There are 2 options at the bottom of the first security page of msec, which 
+should already realise Luc's proposals.  They may have to be fixed.
+
+a) An option to send a security alert by email, where one enters the email 
+address.  By default it is checked.
+However, if no valid format email address is entered, an email should _not_ be 
+sent.
+As well, we should display something similar to
+"(Enter {userid}@localhost for a local user.)",
+  to help ensure that the user enters a valid local address.
+(Note that there are multi-line descriptions for all the other options above on 
+the same page, so this would fit nicely.)
+
+b) An option to display security alerts on the desktop.  Again, checked by 
+default.  They should probably remain visible until the user dismisses them. 
+(They currently display for a few seconds, then disappear.)
+
+My 2 cents :)
+
+-- 
+André
+