Date: Wed, 14 Feb 2001 13:47:42 -0800 From: Jason DiCioccio <Jason.DiCioccio@Epylon.com> To: 'Rob Simmons' <rsimmons@wlcg.com>, Mikhail Kruk <meshko@cs.brandeis.edu> Cc: Ragnar Beer <rbeer@uni-goettingen.de>, freebsd-security@FreeBSD.ORG Subject: RE: security settings documentation Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D640@goofy.epylon.lan>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C096CF.C1F43E60" ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not as far as I can remember.. I've used boxes with no mailserver and still gotten the security outputs etc. I think it just uses mail.local directly. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Rob Simmons [mailto:rsimmons@wlcg.com] Sent: Wednesday, February 14, 2001 1:44 PM To: Mikhail Kruk Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation I would disagree with -bd being mandatory. Sure it is needed if the server is a mailserver or needs to recieve mail for some reason. I agree that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the "High" security profile should have only -q30m. In fact I think the Fascist level should have this setting instead of disabling sendmail altogether. If you disable sendmail altogether, doesn't that keep the daily/weekly root mails from being sent? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Mikhail Kruk wrote: > I have > sendmail_flags="-bd -q30m" # -bd is pretty mandatory. > and it seems that it has been default at least since 2.2.8, may be > before. > > > Very good idea! It's the default setting in OpenBSD. > > > > Ragnar > > > > >Also, for the "High" security setting, shouldn't this be in > > >there: > > > > > > variable_set2("sendmail_flags", "-q30m", 1); > > > > > >That way sendmail doesn't open port 25. > > > > > >Robert Simmons > > >Systems Administrator > > >http://www.wlcg.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>; iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY 37kezwCPvsTqfh6V2B7jdAxv =p9BS -----END PGP SIGNATURE----- ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"> <TITLE>RE: security settings documentation</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT> <BR><FONT SIZE=2>Hash: SHA1</FONT> </P> <P><FONT SIZE=2>Not as far as I can remember.. I've used boxes with no mailserver and</FONT> <BR><FONT SIZE=2>still gotten the security outputs etc. I think it just uses</FONT> <BR><FONT SIZE=2>mail.local directly.</FONT> </P> <P><FONT SIZE=2>Cheers,</FONT> <BR><FONT SIZE=2>- -JD-</FONT> </P> <BR> <P><FONT SIZE=2>- -------</FONT> <BR><FONT SIZE=2>Jason DiCioccio</FONT> <BR><FONT SIZE=2>Evil Genius</FONT> <BR><FONT SIZE=2>Unix BOFH</FONT> </P> <P><FONT SIZE=2><A HREF="mailto:jasond@epylon.com">mailto:jasond@epylon.com</A></FONT> </P> <P><FONT SIZE=2>415-593-2761 Direct & Fax</FONT> <BR><FONT SIZE=2>415-593-2900 Main</FONT> </P> <P><FONT SIZE=2>Epylon Corporation</FONT> <BR><FONT SIZE=2>645 Harrison Street, Suite 200</FONT> <BR><FONT SIZE=2>San Francisco, CA 94107</FONT> <BR><FONT SIZE=2>www.epylon.com</FONT> </P> <P><FONT SIZE=2>BSD is for people who love Unix -</FONT> <BR><FONT SIZE=2>Linux is for people who hate Microsoft</FONT> </P> <BR> <P><FONT SIZE=2>- -----Original Message-----</FONT> <BR><FONT SIZE=2>From: Rob Simmons [<A HREF="mailto:rsimmons@wlcg.com">mailto:rsimmons@wlcg.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Wednesday, February 14, 2001 1:44 PM</FONT> <BR><FONT SIZE=2>To: Mikhail Kruk</FONT> <BR><FONT SIZE=2>Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG</FONT> <BR><FONT SIZE=2>Subject: Re: security settings documentation</FONT> </P> <BR> <P><FONT SIZE=2>I would disagree with -bd being mandatory. Sure it is needed if the</FONT> <BR><FONT SIZE=2>server is a mailserver or needs to recieve mail for some reason. I</FONT> <BR><FONT SIZE=2>agree</FONT> <BR><FONT SIZE=2>that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think</FONT> <BR><FONT SIZE=2>the</FONT> <BR><FONT SIZE=2>"High" security profile should have only -q30m. In fact I think the</FONT> <BR><FONT SIZE=2>Fascist level should have this setting instead of disabling sendmail</FONT> <BR><FONT SIZE=2>altogether.</FONT> </P> <P><FONT SIZE=2>If you disable sendmail altogether, doesn't that keep the</FONT> <BR><FONT SIZE=2>daily/weekly</FONT> <BR><FONT SIZE=2>root mails from being sent?</FONT> </P> <P><FONT SIZE=2>Robert Simmons</FONT> <BR><FONT SIZE=2>Systems Administrator</FONT> <BR><FONT SIZE=2><A HREF="http://www.wlcg.com/" TARGET="_blank">http://www.wlcg.com/</A></FONT>; </P> <P><FONT SIZE=2>On Wed, 14 Feb 2001, Mikhail Kruk wrote:</FONT> </P> <P><FONT SIZE=2>> I have</FONT> <BR><FONT SIZE=2>> sendmail_flags="-bd -q30m" # -bd is pretty mandatory.</FONT> <BR><FONT SIZE=2>> and it seems that it has been default at least since 2.2.8, may be</FONT> <BR><FONT SIZE=2>> before.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > Very good idea! It's the default setting in OpenBSD.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Ragnar</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > >Also, for the "High" security setting, shouldn't this be in</FONT> <BR><FONT SIZE=2>> > >there: </FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > variable_set2("sendmail_flags", "-q30m", 1);</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >That way sendmail doesn't open port 25.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >Robert Simmons</FONT> <BR><FONT SIZE=2>> > >Systems Administrator</FONT> <BR><FONT SIZE=2>> > ><A HREF="http://www.wlcg.com/" TARGET="_blank">http://www.wlcg.com/</A></FONT>; <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=2>> > with "unsubscribe freebsd-security" in the body of the message</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=2>> with "unsubscribe freebsd-security" in the body of the message</FONT> <BR><FONT SIZE=2>> </FONT> </P> <BR> <BR> <P><FONT SIZE=2>To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=2>with "unsubscribe freebsd-security" in the body of the message</FONT> </P> <P><FONT SIZE=2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT SIZE=2>Version: PGPfreeware 6.5.8 for non-commercial use <<A HREF="http://www.pgp.com" TARGET="_blank">http://www.pgp.com</A>></FONT>; </P> <P><FONT SIZE=2>iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY</FONT> <BR><FONT SIZE=2>37kezwCPvsTqfh6V2B7jdAxv</FONT> <BR><FONT SIZE=2>=p9BS</FONT> <BR><FONT SIZE=2>-----END PGP SIGNATURE-----</FONT> </P> <P><FONT FACE="Arial" SIZE=2 COLOR="#000000"></FONT> </BODY> </HTML> ------_=_NextPart_001_01C096CF.C1F43E60-- ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C096CF.C1F43E60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA0166D640>