Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
The way to get security is to make the system consistent and easily
understandable.
Couldn't agree with you more. To me that means configuring services the
way most people will need them.
If users need to hand-edit complex config files for
common operations you haven't accomplished that.
That's just it. Probably 99% of all Linux installs don't entail
configuring the system as a true mail server. The FC and RHEL approach
means *MOST* users don't have to edit a complex config file.
How, for example,
would you advise a user to check for whether sendmail was active on the
network or not, and how to change it?
Ask their mail server admin. They have no business running their own
mail server.
Why should this differ from what
you'd say about dovecot?
When I set up dovecot I had to edit /etc/dovecot.conf before it worked:
diff dovecot.conf dovecot.conf.centos
14c14
< protocols = imap imaps pop3
---
> #protocols = imap imaps
21,22c21,22
< imap_listen = 192.168.255.254:143
< pop3_listen = 192.168.255.254:110
---
> imap_listen = [::]
> pop3_listen = [::]
26,27c26,27
< imaps_listen = 192.168.255.254:993
---
> #imaps_listen =
87c87
< login_executable = /usr/libexec/dovecot/imap-login
---
> #login_executable = /usr/libexec/dovecot/imap-login
92c92
< login_user = dovecot
---
> #login_user = dovecot
While the file is easy to understand, knowing what to enable or not
enable and why isn't. Should we have a dovecot configuration GUI?
If every program is a special case, few people
are going to understand the system well enough to keep it secure.
Agreed. That means it absolutely makes sense to install sendmail such
that the typical user doesn't have to understand how to configure it to
be secure.
How long are you going to keep insisting on something that very few
people need or want? Most people don't run a true mail server. They
connect to either their ISP's or their employer's mail server. They
don't want to have to know how to secure sendmail nor even how to enable
or disable it.
I can think of quite a few other system configuration tasks that I would
rather see Red Hat or the community put resources into over expending
effort on some kind of GUI sendmail configuration tool that most users
will never use and those who need to configure sendmail will ignore
because they know they need to edit sendmail.cf to correctly configure
it for their particular needs (e.g., filters, RBLs, etc.).
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
