We need a new subject- bug fixes

Mikkel L. Ellertson mikkel at infinity-ltd.com
Tue Mar 6 05:42:01 UTC 2007


Les Mikesell wrote:
> Mikkel L. Ellertson wrote:
> 
>>>> That is because they use more rational configuration method.
>>> No they don't.  Have you built a kernel from scratch that included
>>> everything that fedora includes?  Or apache with all the modules built?
>>> It isn't fun - or very rational. However, you don't have to do that if
>>> you install fedora.  The point of the packaged distribution  is that the
>>> work is already done and maintained.
>>>
>> What does this have to do with configuring a service? You are really
>>  having to struggle to come up with something to justify your
>> position. That should tell you something.
> 
> The point is that those things come preconfigured for typical uses. If
> we haven't established yet that email isn't very useful unless some
> machines accept mail over the network, let's do that now to make it
> clear that is a needed configuration choice.
> 
What you just do not get is that the current configuration is
configured for typical use. The configuration you are pushing for is
not typical use.

>>>> Maybe
>>>> if Sendmail did as well, it could be treated the more like other
>>>> services.
>>> Sendmail does give you the opportunity to use a pre-built configuration.
>>> Fedora just doesn't provide one that gives the upstream functionality.
>>>
>> And this relates to how easy it is to change the sendmail
>> configuration how?
> 
> Anything is easy when yum/rpm installs what you need.
> 
Right - another non-answer.

Are you saying that there should be a configuration for every ISP?
While this would be nice, you need to convince the ISP's to provide
them. But that is still not treating Sendmail like every other
service. So is your complaint that Sendmail is not treated like
every other service, or that is is not treated special enough?
> 
>>>
>> Oh, now you are saying that having to make a change in sendmail.mc,
>> and then generate a new sendmail.cf file doesn't matter. 
> 
> Of course it doesn't matter as long is it is done automatically.  A vast
> number of more complicated things are done automatically as the kernel
> boots, for example.
> 
And this relates to the question under discussion how? Or is it that
you do not have an answer, so you go off on a tangent again.

>> Now, as far as non-standard environments, needing Sendmail to accept
>> connections from the Internet is a non-standard environment.
> 
> Beg your pardon? Email as we know it can't work unless this happens.
> 
What, every machine has to accept incoming mail connections for
E-mail to work? You need to come into the real world, where most
people get their e-mail from a POP or IMAP server. I would be
supprised if 1 machine in 50 accepts incoming mail connections, but
e-mail gets through just fine.

>> Most
>> machines are not going to be an Internet mail server. So why should
>> the default configuration support it? From a security standpoint, it
>> is better to not accept connections from outside the machine unless
>> they are needed. This is why services like Apache, POP3, etc are not
>> turned on by default. Because a local mail server is needed for
>> proper operation of the system, Sendmail runs by default, but it
>> runs locked down. This works just fine for most users, and for the
>> ones it doesn't, there is a lot more configuration then just
>> enabling it to listen to other interfaces then 127.0.0.1.
> 
> For every sender there must be a listener.  Should RH/fedora be
> inadequate for this role?
> 
That doesn't change the fact that most machines do not need to be a
listener. Haven't you heard, one machine can not only accept
incoming mail for more then one user, but it can be configured to
accept mail for more then one domain. You are ignoring the fact that
this is the way most e-mail is handled. So my workstation and my
laptop do not accept incoming mail connections from the Internet. I
still get my mail. Why do you think almost every e-mail client lets
you configure the mail server(s) you are going to use?
> 
> Listening on a port and being secure are two different concepts.  If you
> need to receive mail, you still need to be just as secure as if you
> don't. Listening on a port doesn't make your machine insecure.  Bugs in
> the software make it insecure and pushing the problem off on someone
> else doesn't help fix it.
> 
You are the only one talking about pushing the problem off on
someone else. We are talking about not taking unnecessary risks. Any
open port is a security risk. In case you have not noticed, we are
still finding bugs in the programs we run. There may be bugs still
in Sendmail that can be exploited if you can connect from outside
the machine. So good security practice is to not accept outside
connections unless you need to. Good security practice also means
that you use more then one line of defense. So you not only do not
have sendmail listening to outside connections by default, but you
also have your firewall blocking connections as well.

Now, if you need to accept incoming mail connections, you change
things so you can, but most people do not need it.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!




More information about the users mailing list