From owner-freebsd-security  Wed Feb 14 13:56:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
	by hub.freebsd.org (Postfix) with ESMTP id CEBA837B684
	for <freebsd-security@FreeBSD.ORG>; Wed, 14 Feb 2001 13:56:31 -0800 (PST)
Received: (from smap@localhost)
	by whistle.com (8.10.0/8.10.0) id f1ELuVw16563
	for <freebsd-security@FreeBSD.ORG>; Wed, 14 Feb 2001 13:56:31 -0800 (PST)
Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0)
	id xma016559; Wed, 14 Feb 2001 13:56:07 -0800
Received: (from dhw@localhost)
	by pau-amma.whistle.com (8.11.1/8.11.1) id f1ELu7P63294
	for freebsd-security@FreeBSD.ORG; Wed, 14 Feb 2001 13:56:07 -0800 (PST)
Date: Wed, 14 Feb 2001 13:56:07 -0800 (PST)
From: David Wolfskill <dhw@whistle.com>
Message-Id: <200102142156.f1ELu7P63294@pau-amma.whistle.com>
Subject: Re: security settings documentation
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.0102141638540.15577-100000@mail.wlcg.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>Date: Wed, 14 Feb 2001 16:43:58 -0500 (EST)
>From: Rob Simmons <rsimmons@wlcg.com>

>I would disagree with -bd being mandatory.  Sure it is needed if the
>server is a mailserver or needs to recieve mail for some reason.  I agree
>that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the
>"High" security profile should have only -q30m.  In fact I think the
>Fascist level should have this setting instead of disabling sendmail
>altogether.

>If you disable sendmail altogether, doesn't that keep the daily/weekly
>root mails from being sent?

-bd says to start sendmail as a daemon, listening on TCP/25 (SMTP).

-q30m says to automatically "run the queue" (check the queue for
undelivered mail and try to deliver it) every 30 minutes.

It is not necessary to run a sendmail daemon at all in order to merely
send locally-generated mail, and it is only necessary to run the queue
if mail gets stuck there.  (An alternative to having the daemon run the
queue periodically is to fire up "sendmail -q" via cron.)

(My news server does not have anything listening on TCP/25, nor is sendmail
configured to run the queue; it sends the daily, weekly, & monthly reports
to me just fine.)

Cheers,
david
-- 
David Wolfskill      dhw@whistle.com   UNIX System Administrator
Desk: 650/577-7158   TIE: 8/499-7158   Cell: 650/759-0823


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message