From: Les Mikesell <lesmikesell@xxxxxxxxx>,Subject:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Les Mikesell <lesmikesell@xxxxxxxxx> wrote:

The way to get security is to make the system consistent and easily understandable.
Couldn't agree with you more. To me that means configuring services the way most people will need them.
If users need to hand-edit complex config files for common operations you haven't accomplished that.
That's just it. Probably 99% of all Linux installs don't entail configuring the system as a true mail server. The FC and RHEL approach means *MOST* users don't have to edit a complex config file.
How, for example, would you advise a user to check for whether sendmail was active on the network or not, and how to change it?
Ask their mail server admin. They have no business running their own mail server.
Why should this differ from what you'd say about dovecot?
When I set up dovecot I had to edit /etc/dovecot.conf before it worked:

diff dovecot.conf dovecot.conf.centos
14c14
< protocols = imap imaps pop3
---
> #protocols = imap imaps
21,22c21,22
< imap_listen = 192.168.255.254:143
< pop3_listen = 192.168.255.254:110
---
> imap_listen = [::]
> pop3_listen = [::]
26,27c26,27
< imaps_listen = 192.168.255.254:993
---
> #imaps_listen =
87c87
< login_executable = /usr/libexec/dovecot/imap-login
---
> #login_executable = /usr/libexec/dovecot/imap-login
92c92
< login_user = dovecot
---
> #login_user = dovecot

While the file is easy to understand, knowing what to enable or not enable and why isn't. Should we have a dovecot configuration GUI?
If every program is a special case, few people are going to understand the system well enough to keep it secure.
Agreed. That means it absolutely makes sense to install sendmail such that the typical user doesn't have to understand how to configure it to be secure.

How long are you going to keep insisting on something that very few people need or want? Most people don't run a true mail server. They connect to either their ISP's or their employer's mail server. They don't want to have to know how to secure sendmail nor even how to enable or disable it. I can think of quite a few other system configuration tasks that I would rather see Red Hat or the community put resources into over expending effort on some kind of GUI sendmail configuration tool that most users will never use and those who need to configure sendmail will ignore because they know they need to edit sendmail.cf to correctly configure it for their particular needs (e.g., filters, RBLs, etc.).

Dave

--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux