Cron jobs output are sent to the network by default

Robert Marcano robert at
Tue Oct 28 17:50:08 UTC 2014

I created a new bug [1] that explains that ssmtp is sending all cron 
jobs output to an external SMTP server. I marked it as a security bug, 
the security tag was removed and it was recommend to make it public, 
something I can't do. I will resume the problem here, because there are 
comments that says that it isn't a security bug, I disagree:

1- Fedora 20 shipped with the feature of not running a SMTP server by 
default, I was fine with it because I don't need to send emails or 
receive emails locally using it.

2- an update pulled ssmtp

Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64

3- ssmtp is configured by default to send emails to a host named mail

4- If a cron jobs runs the email is sent to mail.[your.domain] without 
you ever configuring that.

5- I don't care about the crob job output, I noticed by chance that this 
was happening because I have a cron job to do fstrim weekly and the 
output was sent to a server I manage and that has the root alias set to me.

6- People can be writing cron jobs, that like me, don't care about the 
output email, but don't know that output is being sent to a probably 
third party server without their knowledge (your ISP mail server?), 
those emails could be a potential leak of private information. Fedora 20 
was supposed to not send them because it featured a no SMTP server 
feature [2] and one of the most discussed things was that with the 
absence of the SMTP server cron jobs will only be logged.

I am not saying that the bug is with ssmtp, but ssmtp should require 
manual configuration, or no one should be pulling it like smartmontools 
or redhat-lsb


More information about the devel mailing list