RE: security settings documentation

From owner-freebsd-security Wed Feb 14 13:48: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 288FB37B401 for ; Wed, 14 Feb 2001 13:47:51 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <16LS2MDC>; Wed, 14 Feb 2001 13:47:49 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D640@goofy.epylon.lan> From: Jason DiCioccio To: 'Rob Simmons' , Mikhail Kruk Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: RE: security settings documentation Date: Wed, 14 Feb 2001 13:47:42 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C096CF.C1F43E60" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C096CF.C1F43E60" ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not as far as I can remember.. I've used boxes with no mailserver and still gotten the security outputs etc. I think it just uses mail.local directly. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Rob Simmons [mailto:rsimmons@wlcg.com] Sent: Wednesday, February 14, 2001 1:44 PM To: Mikhail Kruk Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation I would disagree with -bd being mandatory. Sure it is needed if the server is a mailserver or needs to recieve mail for some reason. I agree that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the "High" security profile should have only -q30m. In fact I think the Fascist level should have this setting instead of disabling sendmail altogether. If you disable sendmail altogether, doesn't that keep the daily/weekly root mails from being sent? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Mikhail Kruk wrote: > I have > sendmail_flags="-bd -q30m" # -bd is pretty mandatory. > and it seems that it has been default at least since 2.2.8, may be > before. > > > Very good idea! It's the default setting in OpenBSD. > > > > Ragnar > > > > >Also, for the "High" security setting, shouldn't this be in > > >there: > > > > > > variable_set2("sendmail_flags", "-q30m", 1); > > > > > >That way sendmail doesn't open port 25. > > > > > >Robert Simmons > > >Systems Administrator > > >http://www.wlcg.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY 37kezwCPvsTqfh6V2B7jdAxv =p9BS -----END PGP SIGNATURE----- ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/html; charset="iso-8859-1" RE: security settings documentation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not as far as I can remember.. I've used boxes with no mailserver and
still gotten the security outputs etc. I think it just uses
mail.local directly.

Cheers,
- -JD-

- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761 Direct & Fax
415-593-2900 Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft

- -----Original Message-----
From: Rob Simmons [mailto:rsimmons@wlcg.com]
Sent: Wednesday, February 14, 2001 1:44 PM
To: Mikhail Kruk
Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG
Subject: Re: security settings documentation

I would disagree with -bd being mandatory. Sure it is needed if the
server is a mailserver or needs to recieve mail for some reason. I
agree
that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think
the
"High" security profile should have only -q30m. In fact I think the
Fascist level should have this setting instead of disabling sendmail
altogether.

If you disable sendmail altogether, doesn't that keep the
daily/weekly
root mails from being sent?

Robert Simmons
Systems Administrator
http://www.wlcg.com/

On Wed, 14 Feb 2001, Mikhail Kruk wrote:

> I have
> sendmail_flags="-bd -q30m" # -bd is pretty mandatory.
> and it seems that it has been default at least since 2.2.8, may be
> before.
>
> > Very good idea! It's the default setting in OpenBSD.
> >
> > Ragnar
> >
> > >Also, for the "High" security setting, shouldn't this be in
> > >there:
> > >
> > > variable_set2("sendmail_flags", "-q30m", 1);
> > >
> > >That way sendmail doesn't open port 25.
> > >
> > >Robert Simmons
> > >Systems Administrator
> > >http://www.wlcg.com/
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY
37kezwCPvsTqfh6V2B7jdAxv
=p9BS
-----END PGP SIGNATURE-----

------_=_NextPart_001_01C096CF.C1F43E60-- ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C096CF.C1F43E60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message