I could have had troubles on my system from unwanted users knowing about my set up, because I did not set my emails in /etc/mail/aliases. I think that the editting of this file should be mentioned in the manual in the "Finalizing your Gentoo Installation" section. If you need more details concerning how it can be dangerous for /etc/mail/aliases to not be edit, feel free to ask.
(In reply to comment #0) > I could have had troubles on my system from unwanted users knowing about my set > up, because I did not set my emails in /etc/mail/aliases. > > I think that the editting of this file should be mentioned in the manual in the > "Finalizing your Gentoo Installation" section. > > If you need more details concerning how it can be dangerous for > /etc/mail/aliases to not be edit, feel free to ask. . . . except that not every user sets up any sort of mail system on their machine. I'd guess that the majority of desktop users don't bother editing this. Besides, it would be too large and complex for the "Finalizing" section. A much better place for it would be in one of the mail howtos, or possibly its own mail alias mini-guide. If you're interested in writing such a mini-guide, you're welcome to attach it to this bug. See the GuideXML guide (http://www.gentoo.org/doc/en/xml-guide.xml) and the Documentation Tips'n'Tricks (http://www.gentoo.org/proj/en/gdp/doc/doc-tipsntricks.xml). It sounds like you already have some ideas about what you'd like to see in such a doc.
*** Bug 125407 has been marked as a duplicate of this bug. ***
*** Bug 125422 has been marked as a duplicate of this bug. ***
*** Bug 125427 has been marked as a duplicate of this bug. ***
(In reply to comment #0) > I could have had troubles on my system from unwanted users knowing about my set > up, because I did not set my emails in /etc/mail/aliases. "could have had"? > I think that the editting of this file should be mentioned in the manual in the > "Finalizing your Gentoo Installation" section. Nope, that part of Handbook is talking about installation. Users setting up mailserver should either know what they are doing or read the respective howto. > If you need more details concerning how it can be dangerous for > /etc/mail/aliases to not be edit, feel free to ask. If you have any relevant information regarding such danger on majority of computers, feel free to reopen.
I was not setting up a mail server. I can assure you that this problem will be prevalent on any machine out of the box. The danger that was occuring, was that the cron daemon was sending emails to root@<hostname>, but since I have no mail server setup (regular desktop machine), it was sending the mail to servers on the network to which my machine is attached (since I know the people who manage the servers, they showed me the mail that my cron daemon and apache to a non-existent address, root@hostname.). Some of my cron jobs involve entering passwords and the such. I also do not intend to let stangers know of what I am doing on my machine. Summary: Applications on a machine, when setup by default (such as cron daemons, webservers, or any application that sends to places suchas root@localhost) will send emails that will bounce and which can be tracked down by a malicious user. A user, who is not aware of this might add things to his applications that might initiate the sending of information that might lead to someone being able to conduct malicious things on the improperly configured machine. If you guys still disagree with me, then I will write up the guide, as Saddler suggested that I do. P.S. I appologize for those duplicates...I am not sure how that occurred (maybe I clicked submit after forgetting that I already submitted the bug, and due to network lag).
(In reply to comment #6) > I was not setting up a mail server. I can assure you that this problem will be > prevalent on any machine out of the box. > > The danger that was occuring, was that the cron daemon was sending emails to > root@<hostname>, but since I have no mail server setup (regular desktop > machine), it was sending the mail to servers on the network to which my machine > is attached (since I know the people who manage the servers, they showed me the > mail that my cron daemon and apache to a non-existent address, root@hostname.). It isn't default setup then. > Some of my cron jobs involve entering passwords and the such. I also do not > intend to let stangers know of what I am doing on my machine. Entering passwords for cronjobs? Huh? In order for virtual/mta to work, you usually have to edit its configuration file. You're right, we should mention this one *somewhere* in the docs. Not just setting up aliases, but ssmtp (default vitual/mta) configuration as well. > Summary: Applications on a machine, when setup by default (such as cron > daemons, webservers, or any application that sends to places suchas > root@localhost) will send emails that will bounce and which can be tracked down Again, default installation doesn't have webserver.
As soon as I find some time (Friday this week hopefully), I'll write up an aliases doc. Therefore marked to "Later".
Created attachment 82339 [details] mail-aliases.xml I wrote the mini-guide.
I am not sure if I have to reopen it, so I will anyway.
Created attachment 82340 [details] mail-aliases.xml Attached the wrong file initially.
It's been a month...just a reminder.
Is there any reason your system wouldn't have localhost point to 127.0.0.1? I know on any system I have ever set up, root@localhost (or anything relating to localhost) will point to the local system. If I send an email on a just set up system using mail root@localhost, it reacts the same as if I sent it using "mail root", and ends up at the root user. root@localhost is a real email, because localhost is a real hostname.
Never mind that, I rechecked what I was saying and indeed it seems on some machines root@localhost won't work (though still on any I have set up, it works perfectly). It should not be sending anything out to the network though.
(In reply to comment #14) > Never mind that, I rechecked what I was saying and indeed it seems on some > machines root@localhost won't work (though still on any I have set up, it works > perfectly). It should not be sending anything out to the network though. > It is going to send it out to the network if no mail server is set-up to recieve the mail. i.e. It is going to look for something to send with, and if it will not find that something it will look over the network...I am very iffy on the details.
Is any of this still valid? None of the reporters/confirmers have a clear indication of what works or why, so I'm afraid nothing can be committed yet. Again, if you're setting up a webserver or mailserver of some kind, the guides talk about email setup, and/or you'd better already know what you're doing if you're installing said servers. There is no mail sent by default on a fresh installation, nor does the system look to send anything over the network. CCing the net-mail team to provide some feedback; can you please indicate whether or not any of the suggestions in this bug are valid, especially on a fresh Gentoo installation.
Thanks, but no thanks
Created attachment 117107 [details] Updated the mini-guide
I hate to re-open this, but it is still giving me trouble and I still believe that it can cause other users trouble. I did a fresh install of Gentoo and installed a cron (vixie-cron) daemon as per the handbook. The senior systems administrator reported shortly after, that the box I installed Gentoo on was spewing out emails. I forgot to edit the aliases during installation. Editing them as per my mini-guide fixed the problem. I think the best course of action is to mention something in the cron install section: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=9 I updated the the mini-guide in case you still want to use it. I promise that this is absolutely the last time I bring this thing up.
As neysx said in comment #17, and comment #1, comment #5, and comment #7, and a quote from your own comment #15 ("I am very iffy on the details"), thanks, but no thanks. I can't reproduce it on any box. It simply doesn't happen on a fresh install. If users are setting up a mailserver, they need to read the appropriate guide, or else they otherwise know what they're doing.
Actually, it does happen quite a lot on a dormitory LAN I am part of. As an admin of a central mailserver, I know immediately when someone new installs Gentoo, as their cronjob e-mails end up bouncing. I always blamed it on ssmtp not being able to do local delivery, though.
