Les Mikesell wrote: > Mikkel L. Ellertson wrote: > >>>> That is because they use more rational configuration method. >>> No they don't. Have you built a kernel from scratch that included >>> everything that fedora includes? Or apache with all the modules built? >>> It isn't fun - or very rational. However, you don't have to do that if >>> you install fedora. The point of the packaged distribution is that the >>> work is already done and maintained. >>> >> What does this have to do with configuring a service? You are really >> having to struggle to come up with something to justify your >> position. That should tell you something. > > The point is that those things come preconfigured for typical uses. If > we haven't established yet that email isn't very useful unless some > machines accept mail over the network, let's do that now to make it > clear that is a needed configuration choice. > What you just do not get is that the current configuration is configured for typical use. The configuration you are pushing for is not typical use. >>>> Maybe >>>> if Sendmail did as well, it could be treated the more like other >>>> services. >>> Sendmail does give you the opportunity to use a pre-built configuration. >>> Fedora just doesn't provide one that gives the upstream functionality. >>> >> And this relates to how easy it is to change the sendmail >> configuration how? > > Anything is easy when yum/rpm installs what you need. > Right - another non-answer. Are you saying that there should be a configuration for every ISP? While this would be nice, you need to convince the ISP's to provide them. But that is still not treating Sendmail like every other service. So is your complaint that Sendmail is not treated like every other service, or that is is not treated special enough? > >>> >> Oh, now you are saying that having to make a change in sendmail.mc, >> and then generate a new sendmail.cf file doesn't matter. > > Of course it doesn't matter as long is it is done automatically. A vast > number of more complicated things are done automatically as the kernel > boots, for example. > And this relates to the question under discussion how? Or is it that you do not have an answer, so you go off on a tangent again. >> Now, as far as non-standard environments, needing Sendmail to accept >> connections from the Internet is a non-standard environment. > > Beg your pardon? Email as we know it can't work unless this happens. > What, every machine has to accept incoming mail connections for E-mail to work? You need to come into the real world, where most people get their e-mail from a POP or IMAP server. I would be supprised if 1 machine in 50 accepts incoming mail connections, but e-mail gets through just fine. >> Most >> machines are not going to be an Internet mail server. So why should >> the default configuration support it? From a security standpoint, it >> is better to not accept connections from outside the machine unless >> they are needed. This is why services like Apache, POP3, etc are not >> turned on by default. Because a local mail server is needed for >> proper operation of the system, Sendmail runs by default, but it >> runs locked down. This works just fine for most users, and for the >> ones it doesn't, there is a lot more configuration then just >> enabling it to listen to other interfaces then 127.0.0.1. > > For every sender there must be a listener. Should RH/fedora be > inadequate for this role? > That doesn't change the fact that most machines do not need to be a listener. Haven't you heard, one machine can not only accept incoming mail for more then one user, but it can be configured to accept mail for more then one domain. You are ignoring the fact that this is the way most e-mail is handled. So my workstation and my laptop do not accept incoming mail connections from the Internet. I still get my mail. Why do you think almost every e-mail client lets you configure the mail server(s) you are going to use? > > Listening on a port and being secure are two different concepts. If you > need to receive mail, you still need to be just as secure as if you > don't. Listening on a port doesn't make your machine insecure. Bugs in > the software make it insecure and pushing the problem off on someone > else doesn't help fix it. > You are the only one talking about pushing the problem off on someone else. We are talking about not taking unnecessary risks. Any open port is a security risk. In case you have not noticed, we are still finding bugs in the programs we run. There may be bugs still in Sendmail that can be exploited if you can connect from outside the machine. So good security practice is to not accept outside connections unless you need to. Good security practice also means that you use more then one line of defense. So you not only do not have sendmail listening to outside connections by default, but you also have your firewall blocking connections as well. Now, if you need to accept incoming mail connections, you change things so you can, but most people do not need it. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
