Date: Wed, 14 Feb 2001 23:41:41 +0100 From: Ragnar Beer <rbeer@uni-goettingen.de> To: Rob Simmons <rsimmons@wlcg.com> Subject: Re: security settings documentation Message-ID: <p04330104b6b0b6369db0@[192.168.0.98]> In-Reply-To: <Pine.BSF.4.21.0102141638540.15577-100000@mail.wlcg.com> References: <Pine.BSF.4.21.0102141638540.15577-100000@mail.wlcg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'd also disagree. Taking sendmails security record and difficult configuration into account I'd say that running sendmail in daemon mode out of the box is "moderate" security at most and only "-q30m" or "NO" go with higher security levels. But that actually doesn't touch the issue whether sendmail is mandatory or not. I'd say ssh is absolutely mandatory but it's ok that the daemon doesn't get started when "extreme" security was chosen. I wonder if there could be something intermedia e.g. with a well configured postfix daemon. According to what I _heard_ about it it's very secure. Ragnar >I would disagree with -bd being mandatory. Sure it is needed if the >server is a mailserver or needs to recieve mail for some reason. I agree >that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the >"High" security profile should have only -q30m. In fact I think the >Fascist level should have this setting instead of disabling sendmail >altogether. > >If you disable sendmail altogether, doesn't that keep the daily/weekly >root mails from being sent? > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ > >On Wed, 14 Feb 2001, Mikhail Kruk wrote: > >> I have >> sendmail_flags="-bd -q30m" # -bd is pretty mandatory. >> and it seems that it has been default at least since 2.2.8, may be >> before. >> >> > Very good idea! It's the default setting in OpenBSD. >> > >> > Ragnar >> > >> > >Also, for the "High" security setting, shouldn't this be in there: >> > > >> > > variable_set2("sendmail_flags", "-q30m", 1); >> > > >> > >That way sendmail doesn't open port 25. >> > > >> > >Robert Simmons >> > >Systems Administrator >> > >http://www.wlcg.com/ >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p04330104b6b0b6369db0>