Am 22.09.2011 21:37, schrieb Florian Hubold: > Am 22.09.2011 00:09, schrieb Luc Menut: >> Le 21/09/2011 20:35, Florian Hubold a écrit : >>> Hello, >>> >>> during validation of validation of msec/sectool update candidates, >>> a problem showed up: https://bugs.mageia.org/show_bug.cgi?id=1621 >> ... >>> >>> But if we want security reports to be sent to local users if they >>> specify so, how to proceed further? >>> >> >> msec can work very well without sending these reports by email; all the >> security's reports are available in /var/log/security, and msec notifies the >> user about this at each time it runs, so sendmail is absolutely not >> mandatory. >> So I think that msec shouldn't have a Requires on sendmail-command, >> eventually it can be a Suggest. >> >> But perhaps we could/should change the configuration of msec to not send >> email by default, by adding MAIL_WARN=no in /etc/security/msec/security.conf. >> >> > So, to summarize, there happen to be multiple solutions here: > > > 1. do NOT require an MTA, let users manually read reports from > /var/log/security > maybe even remove nail from msec Requires as it is currently > non-functional. > Also Luc's proposal cited above could be realized. > > 2. do require sendmail-command, which will pose a problem to users > installing from the CLI, because they are presented with a choice: > > One of the following packages is required: > 1 dma > 2 ssmtp > 3 postfix > 4 sendmail > 5 msmtp > Please make a selection: > > Additionally this will force an MTA onto every default installation and > every > installation that currently has msec installed. > > 3. do require dma, which is a rather minimal MTA, and delivers without > configuration > Please see https://bugs.mageia.org/show_bug.cgi?id=2255#c36 for details. > This would also allow coexistence with an already-installed MTA, IIUC. > > 4. Try to fix nail, which is required by msec and so in every default > installation, > so that it is able to deliver mail by itself, without sendmail. > > Please give your votes. > >
After rereading the thread, i'm posting an excellent summary from Derek Jennings, the original reporter of the msec/MTA issue: Am 28.09.2011 11:14, schrieb Derek Jennings: > > I seem to have sparked off quite a discussion on the dev list. > > Luc Menut made a very good point. If all these mails from msec started > being actually delivered instead of going into the bit bucket, then users > will be overwhelmed with emails they do not understand. As Claire > mentioned in a previous posting msec **always** finds something in error > which could alarm users. I can imagine the user forum being flooded with > alarmed posts. > > My own opinion is we should do both 1 and 3 in your list of options > 1/ Change the defaults in /etc/security/msec/level.* and > 3/ make dma a suggest for msec > > If these two changes were introduced as updates to Mageia 1 then the > consequences would I believe be. > a/ Users with default configuration :- > > Changing the defaults in /etc/security/msec/level.* will not affect an > existing installation unless they change their security level. > > Mail would go into /var/spool/mail/root instead of /root/dead.letter They > probably would still not see the mail because they are unlikely to know > how to configure another user to receive roots mail. The only change they > would notice is when logging in at a root console they would see a message > saying "You have new mail". > > b/ Users who have configured a real mail address in msec > Installing dma as a require will cause these mails to actually start being > delivered. Since the user has put the real mail address in the msec > configuration we have to assume they actually want the mails to be > delivered so that is a "good thing". If their ISP will only accept mail > from a real MTA as mentioned by Frank Griffin then the message will not be > delivered unless a relay host is defined in dma. Since they are already > not being delivered nothing will have changed. > > c/ New users of Mageia 2 > Changing the defaults in /etc/security/msec/level.* will suppress emails > other than to those users who have specifically requested them. > > > Hope that helps > > Derek > > So if nobody objects or sees other problem with this, i'll modify the defaults in /etc/security/msec/level.* to not send email by default and making dma a suggest for msec.
