On Thu, Oct 14, 2010 at 08:47:28AM +0200, Giles Coochey wrote:

On 14/10/2010 08:44, Roland RoLaNd wrote:

Hi all,

i'm following online guides to secure my centos 5.4
it's advised to turn off sendmail service among others.
but how can i forward my /var/log/mail to my webmail ?

http://blog.zloether.com/2009/07/install-ssmtp-in-centos.html

The problem with ssmtp is that it only sends to an outside source. It's no longer maintained as far as I know, and I don't think there's a way to get it to just go local, without sending outside. (DISCLAIMER--haven't used it in a long while, and perhaps someone fixed that, or found out a way, but I remember on Fedora forums there was a thread about it, and I don't think anyone managed to get it to only send and deliver locally.)

http://blog.zloether.com/2009/07/send-email-from-linux-shell.html

This also, you will note, sends email through (in the example) through gmail, that is, going outside the machine.

On Thu, Oct 14, 2010 at 11:50:51AM +0200, Giles Coochey wrote:

On 14/10/2010 11:48, Scott Robbins wrote:

...

...

http://blog.zloether.com/2009/07/send-email-from-linux-shell.html

This also, you will note, sends email through (in the example) through gmail, that is, going outside the machine.

I thought that was what the OP requested?

I may have misunderstood--I was under the impression that the OP only wanted to send system messages locally, that is, the sort of things syslog sends to root.

I have a rather dated page on it (that I host locally, so slow site and often down), at

http://www.scottro.net/qnd/qnd-ssmtp.html

On 14/10/2010 09:11, Alexander Dalloz wrote:

...

Hi all,

i'm following online guides to secure my centos 5.4 it's advised to turn off sendmail service among others. but how can i forward my /var/log/mail to my webmail ?

To update to CentOS 5.5 with current updates (especially the kernel!) would improve security much more than deactivating Sendmail. That said you are not bound to 5.4 by any specific usecase.

Agree with above.

...

any help would be greatly appreciated..

What is the rationale behind deactivating Sendmail. Just curious. Or is it the typical rant "Sendmail is insecure, see its history"?

If he just wants to send emails generated by internal programs on his system and doesn't need a full blown MTA then something smaller with SMTP capability would be a more fitting choice. I run sendmail myself, but then run a full blown mail system, want spam / anti-vrus checking and so on, but for ordinary systems (non-mailservers) something simpler with a smaller footprint and capability is probably better, not just from a security point of view. I commend anyone who choses not to run a full-blown MTA if they are technically uncertain about the security implications.

What could be so insecure about using sendmail localy? Don't start the daemon, so it is not listening... Or the firewall will block the port anyway... If the mail is sent to a trusted mail server, there is no risks. Am I missing something?

On a hardened, production, well configured server that strategy would simply be a part of a "Defence-in-Depth" security strategy.

What's the worst that could happen?

Actually, as of RHEL6, the default MTA is now Postfix.

Sendmail does indeed have a rather lengthy history of vulnerabilities. With that being said, in my opinion, Postfix is also a much more flexible MTA.

Josh

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Morten P.D. Stevens Sent: Thursday, October 14, 2010 1:55 PM To: CentOS mailing list Subject: Re: [CentOS] sendmail substitute?

On Thu, Oct 14, 2010 at 9:11 AM, Alexander Dalloz ad+lists@uni-x.org wrote:

What is the rationale behind deactivating Sendmail. Just curious. Or

is it

the typical rant "Sendmail is insecure, see its history"?

I don't understand why many people calling sendmail insecure.

Sendmail is the default MTA in RHEL, Solaris, AIX, FreeBSD, OpenBSD ...

Why should they use an insecure MTA?

Sendmail is a very robust and reliable MTA.

Best regards,

Morten _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

On 10/14/2010 4:19 PM, Gary Greene wrote:

On 14/10/10 10:58 AM, "Baird, Josh"jbaird@follett.com wrote:

...

Actually, as of RHEL6, the default MTA is now Postfix.

Sendmail does indeed have a rather lengthy history of vulnerabilities. With that being said, in my opinion, Postfix is also a much more flexible MTA.

Josh

Well, I'd call that a red herring as Sendmail is just as flexible. The main issues that people have with Sendmail regarding security or flexibility come from the fact that you need to understand the configuration language that Sendmail's configuration files use. If you don't, yes, you can easily eff up the the security of your mail infrastructure and can get lost quickly if you're trying to configure it for more functionality/mail routing/etc.

Sure there have been vulnerabilities in the past, but so has postfix/exim/dbmail/etc.... I think the main reason upstream changed to Postfix is mostly a) most Linux distributions are using it as the default MTA now, and b) it is easier to configure and nothing more.

What you really want with sendmail is a milter-multiplexer like MimeDefang where you can do anything you want without slowing down the faster native sendmail steps and handle the unusual configuration parts in a snipped of perl. Now that postfix has gotten milters right I think you could use MimeDefang with it too.

But, sendmail these days is probably the most strictly audited piece of code on your server so I think the OP is just following bad advice.