zarb-ml/mageia-dev/2011-September/008326.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20%5BRFC%5D%20msec%20%28nail%29%20can%27t%20send%20reports%20to%20local%0A%20users%20accounts%20-%20require%20an%20MTA%3F&In-Reply-To=%3C4E7BA477.9050406%40laposte.net%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="008336.html">
   <LINK REL="Next"  HREF="008334.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?</H1>
    <B>andre999</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20%5BRFC%5D%20msec%20%28nail%29%20can%27t%20send%20reports%20to%20local%0A%20users%20accounts%20-%20require%20an%20MTA%3F&In-Reply-To=%3C4E7BA477.9050406%40laposte.net%3E"
       TITLE="[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?">andre999.mga at laposte.net
       </A><BR>
    <I>Thu Sep 22 23:11:19 CEST 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="008336.html">[Mageia-dev] [RFC] msec (nail) can't send reports to local	users accounts - require an MTA?
</A></li>
        <LI>Next message: <A HREF="008334.html">[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#8326">[ date ]</a>
              <a href="thread.html#8326">[ thread ]</a>
              <a href="subject.html#8326">[ subject ]</a>
              <a href="author.html#8326">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Florian Hubold a &#233;crit :
&gt;<i> Am 22.09.2011 00:09, schrieb Luc Menut:
</I>&gt;&gt;<i> Le 21/09/2011 20:35, Florian Hubold a &#233;crit :
</I>&gt;&gt;&gt;<i> Hello,
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> during validation of validation of msec/sectool update candidates,
</I>&gt;&gt;&gt;<i> a problem showed up: <A HREF="https://bugs.mageia.org/show_bug.cgi?id=1621">https://bugs.mageia.org/show_bug.cgi?id=1621</A>
</I>&gt;&gt;<i> ...
</I>&gt;&gt;&gt;<i> But if we want security reports to be sent to local users if they
</I>&gt;&gt;&gt;<i> specify so, how to proceed further?
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> msec can work very well without sending these reports by email; all
</I>&gt;&gt;<i> the security's reports are available in /var/log/security, and msec
</I>&gt;&gt;<i> notifies the user about this at each time it runs, so sendmail is
</I>&gt;&gt;<i> absolutely not mandatory.
</I>&gt;&gt;<i> So I think that msec shouldn't have a Requires on sendmail-command,
</I>&gt;&gt;<i> eventually it can be a Suggest.
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> But perhaps we could/should change the configuration of msec to not
</I>&gt;&gt;<i> send email by default, by adding MAIL_WARN=no in
</I>&gt;&gt;<i> /etc/security/msec/security.conf.
</I>&gt;&gt;<i>
</I>&gt;<i> So, to summarize, there happen to be multiple solutions here:
</I>&gt;<i>
</I>&gt;<i> 1. do NOT require an MTA, let users manually read reports from
</I>&gt;<i> /var/log/security
</I>&gt;<i> maybe even remove nail from msec Requires as it is currently
</I>&gt;<i> non-functional.
</I>
Reading from /var/log/security is not especially user-friendly, and will be 
ignored by less savy users.

&gt;<i> Also Luc's proposal cited above could be realized.
</I>
see below.

&gt;<i> 2. do require sendmail-command, which will pose a problem to users
</I>&gt;<i> installing from the CLI, because they are presented with a choice:
</I>&gt;<i>
</I>&gt;<i> One of the following packages is required:
</I>&gt;<i> 1 dma
</I>&gt;<i> 2 ssmtp
</I>&gt;<i> 3 postfix
</I>&gt;<i> 4 sendmail
</I>&gt;<i> 5 msmtp
</I>&gt;<i> Please make a selection:
</I>&gt;<i>
</I>&gt;<i> Additionally this will force an MTA onto every default installation and
</I>&gt;<i> every
</I>&gt;<i> installation that currently has msec installed.
</I>
Solution 3 avoids the complication of choosing, with virtually no disadvantage.

&gt;<i> 3. do require dma, which is a rather minimal MTA, and delivers without
</I>&gt;<i> configuration
</I>&gt;<i> Please see <A HREF="https://bugs.mageia.org/show_bug.cgi?id=2255#c36">https://bugs.mageia.org/show_bug.cgi?id=2255#c36</A> for details.
</I>&gt;<i> This would also allow coexistence with an already-installed MTA, IIUC.
</I>
(dragonfly mail agent)
If this works, I'd say that it is the best solution, since it is very compact 
(64k), and virtually every system will have the DNS it requires installed.
(Unless of course they don't have Internet or network access.  In which case 
msec would not be particularly important.)
Note that it is only at version 0.2 (or 0.3 upstream), so we should test it 
carefully.

&gt;<i> 4. Try to fix nail, which is required by msec and so in every default
</I>&gt;<i> installation,
</I>&gt;<i> so that it is able to deliver mail by itself, without sendmail.
</I>
Solution #3 seems much better in every respect.

&gt;<i> Please give your votes.
</I>
Solution 3, with changes/verifications noted below.
Since it is much simpler for the end-user to always have the capability to send 
security alerts if an email address is entered, without installing anything extra.

There are 2 options at the bottom of the first security page of msec, which 
should already realise Luc's proposals.  They may have to be fixed.

a) An option to send a security alert by email, where one enters the email 
address.  By default it is checked.
However, if no valid format email address is entered, an email should _not_ be 
sent.
As well, we should display something similar to
&quot;(Enter {userid}@localhost for a local user.)&quot;,
  to help ensure that the user enters a valid local address.
(Note that there are multi-line descriptions for all the other options above on 
the same page, so this would fit nicely.)

b) An option to display security alerts on the desktop.  Again, checked by 
default.  They should probably remain visible until the user dismisses them. 
(They currently display for a few seconds, then disappear.)

My 2 cents :)

-- 
Andr&#233;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="008336.html">[Mageia-dev] [RFC] msec (nail) can't send reports to local	users accounts - require an MTA?
</A></li>
	<LI>Next message: <A HREF="008334.html">[Mageia-dev] [RFC] msec (nail) can't send reports to local users accounts - require an MTA?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#8326">[ date ]</a>
              <a href="thread.html#8326">[ thread ]</a>
              <a href="subject.html#8326">[ subject ]</a>
              <a href="author.html#8326">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>