Les Mikesell wrote: > Mikkel L. Ellertson wrote: > >> Not really. Why should they be installed by default when most people >> are not going to be running a mail server? > > It's not a matter of doing it by default, it is a matter of having to > edit an obscure config file to do it, instead of the RedHat 'way' of > enabling things. What's right for sendmail should be right for sshd, > ftpd, named, httpd, samba, and all the other things where security flaws > have been known to exist and be exploited. > >> You keep insisting that EVERY machine needs to be able to accept >> Internet delivery of mail, but you have yet to give a valid reason >> for this. > > No, I'm saying that SOME machines need to be able to accept mail and > thus the distribution should provide a reasonable means. I don't > believe that everyone's machine would be safer if it were shipped with a > non-working sshd config file and every user that needed it had to > figure out for themselves what might be good options to put in there, > and I don't believe that for sendmail either. > The thing is, the sendmail configuration is a working one. It just doesn't work the way you want. The default configuration works the way a lot of people want it to. The change needed to make it listen to outside connections is documented in the sendmail.mc file. You keep struggling to come up with analogies, but they don't fit. >> I have given you examples of classes of machines that have no >> need for it, but you keep deleting that part of the message in your >> replies, instead of addressing it. > > I keep deleting it because it is not relevant to sendmail being treated > differently than every other RH/fedora package. You probably don't need > a web server on your laptop either, but where you do need it, the > package comes up working on the network with the expected RH/fedora > commands. > But the web server would not be serving any useful content. Your saying that the default configuration should accept outside mail is like saying that the web server should come will fully configured web pages that fit my system. The default install of Apache works, but if I want it to display anything more then the default web page, I have to add content. Chances are, I am also going to have to make some other changes in the config files as well before it works the way I want it to. The default Sendmail configuration works to deliver locally generated mail. If I want it to do more then that, I have to re-configure it. How are they being treated different? Sure, there is less configuration needed for ssh, but it does not have nearly as many options. Then you have the Bind package. It is not going to run at all until you do some configuration. If all configurations were the same level of complexity, then you could treat all daemons the same. But that is not the way it works in the real world. Sendmail is not treated the same as ssh because the Semdmail configuration is a lot more complex then the ssh configuration. That is why you edit the sendmail.mc file and use m4 to generate a new sendmail.cf file instead of directly editing the sendmail.cf file. (Though you can directly edit the sendmail.cf file if you are expert enough.) Compare the sendmail.cf file to any other daemon's config file, and tell me it isn't much more complicated. >> Isn't it part of basic security >> to not run services you do not need, and limit connections to the >> services you are running to machines that need to connect? > > Again, not relevant. The part that is relevant is following well known > best practices by using expertly developed configurations changed only > where necessary for local differences. The people who need sshd > listening on their network connections can do that because RH/fedora > ships a usable setup. The people who need to receive email via smtp > can't because they don't. And again, I don't believe the world is a > safer place because every person who needs to activate their network > email service has to muddle through sendmail.mc trying whatever changes > look likely to make it work. > Sure it is. Why listen outside SMTP connections when you are not going to deliver outside mail? You keep talking about "muddling through" the sendmail.mc file to make it listen to outside connections. Please explain what is so hard to understand about this, that people are going to get it wrong? dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl If you can not understand that, then you are really going to have problems setting up your DNS records. You ether need to do a lot of reading, or hire someone to do your configuration... You keep insisting that the sendmail configuration is broken because it does not accept outside mail. But the gole of the default configuration is to handle locally generated mail, and it does that, so how is it broken? The only thing I can see that is broken is your expectations of what the default install should do. If you want sample configurations of different mail server configurations that can be modified for local conditions, why not put in a request for a package containing them, or get them added to the sendmail.cf package. After all, if you are going to start modifing the sendmail config, you are going to need the sendmail.cf package. But requiring them as part of the default sendmail install is like requiring the development packages be installed with all libraries because someone might want to compile their own programs. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
