Cron jobs output are sent to the network by default

Miloslav Trmač mitr at redhat.com
Wed Oct 29 18:33:29 UTC 2014


----- Original Message -----
> I created a new bug [1] that explains that ssmtp is sending all cron
> jobs output to an external SMTP server. I marked it as a security bug,
> the security tag was removed and it was recommend to make it public,
> something I can't do. I will resume the problem here, because there are
> comments that says that it isn't a security bug, I disagree:
> 
> 1- Fedora 20 shipped with the feature of not running a SMTP server by
> default, I was fine with it because I don't need to send emails or
> receive emails locally using it.
> 
> 2- an update pulled ssmtp
> 
> Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
> Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64
> 
> 3- ssmtp is configured by default to send emails to a host named mail
> 
> 4- If a cron jobs runs the email is sent to mail.[your.domain] without
> you ever configuring that.

This is certainly not a reasonable default configuration for Fedora.

While I think that it is not a reasonable default configuration for ssmtp at all, I could be persuaded otherwise; but in that case, it should never be installed by _anything_ that isn’t an explicit user’s choice (i.e. no dependencies direct or indirect, no comps group presence, and ideally/overzealously? an automated test that makes installing ssmtp in a default product configuration a release blocker).
    Mirek


More information about the devel mailing list