From owner-freebsd-security Wed Feb 14 14:41:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id D503837B401 for ; Wed, 14 Feb 2001 14:41:51 -0800 (PST) Received: from ras23-155.gwdg.de ([134.76.23.155] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14TAcP-0001KJ-00; Wed, 14 Feb 2001 23:41:49 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: References: Date: Wed, 14 Feb 2001 23:41:41 +0100 To: Rob Simmons From: Ragnar Beer Subject: Re: security settings documentation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd also disagree. Taking sendmails security record and difficult configuration into account I'd say that running sendmail in daemon mode out of the box is "moderate" security at most and only "-q30m" or "NO" go with higher security levels. But that actually doesn't touch the issue whether sendmail is mandatory or not. I'd say ssh is absolutely mandatory but it's ok that the daemon doesn't get started when "extreme" security was chosen. I wonder if there could be something intermedia e.g. with a well configured postfix daemon. According to what I _heard_ about it it's very secure. Ragnar >I would disagree with -bd being mandatory. Sure it is needed if the >server is a mailserver or needs to recieve mail for some reason. I agree >that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the >"High" security profile should have only -q30m. In fact I think the >Fascist level should have this setting instead of disabling sendmail >altogether. > >If you disable sendmail altogether, doesn't that keep the daily/weekly >root mails from being sent? > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ > >On Wed, 14 Feb 2001, Mikhail Kruk wrote: > >> I have >> sendmail_flags="-bd -q30m" # -bd is pretty mandatory. >> and it seems that it has been default at least since 2.2.8, may be >> before. >> >> > Very good idea! It's the default setting in OpenBSD. >> > >> > Ragnar >> > >> > >Also, for the "High" security setting, shouldn't this be in there: >> > > >> > > variable_set2("sendmail_flags", "-q30m", 1); >> > > >> > >That way sendmail doesn't open port 25. >> > > >> > >Robert Simmons >> > >Systems Administrator >> > >http://www.wlcg.com/ >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message