----- Original Message -----
> I created a new bug [1] that explains that ssmtp is sending all cron
> jobs output to an external SMTP server. I marked it as a security bug,
> the security tag was removed and it was recommend to make it public,
> something I can't do. I will resume the problem here, because there are
> comments that says that it isn't a security bug, I disagree:
>
> 1- Fedora 20 shipped with the feature of not running a SMTP server by
> default, I was fine with it because I don't need to send emails or
> receive emails locally using it.
>
> 2- an update pulled ssmtp
>
> Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
> Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64
>
> 3- ssmtp is configured by default to send emails to a host named mail
>
> 4- If a cron jobs runs the email is sent to mail.[your.domain] without
> you ever configuring that.
This is certainly not a reasonable default configuration for Fedora.
While I think that it is not a reasonable default configuration for ssmtp at all, I could be persuaded otherwise; but in that case, it should never be installed by _anything_ that isn’t an explicit user’s choice (i.e. no dependencies direct or indirect, no comps group presence, and ideally/overzealously? an automated test that makes installing ssmtp in a default product configuration a release blocker).
Mirek
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
