Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125396 - Mention of editing /etc/mail/aliases
Summary: Mention of editing /etc/mail/aliases
Status: RESOLVED WONTFIX
Alias: None
Product: [OLD] Docs on www.gentoo.org
Classification: Unclassified
Component: New Documentation (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Docs Team
URL:
Whiteboard:
Keywords:
: 125407 125422 125427 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-07 12:53 UTC by Andrey Falko
Modified: 2007-04-24 05:27 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mail-aliases.xml (mail-aliases.xml,2.77 KB, application/xml)
2006-03-16 23:33 UTC, Andrey Falko
Details
mail-aliases.xml (mail-aliases.xml,2.81 KB, text/plain)
2006-03-16 23:39 UTC, Andrey Falko
Details
Updated the mini-guide (mail-aliases.xml,2.74 KB, text/plain)
2007-04-24 03:22 UTC, Andrey Falko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Falko 2006-03-07 12:53:27 UTC
I could have had troubles on my system from unwanted users knowing about my set up, because I did not set my emails in /etc/mail/aliases.

I think that the editting of this file should be mentioned in the manual in the "Finalizing your Gentoo Installation" section.

If you need more details concerning how it can be dangerous for /etc/mail/aliases to not be edit, feel free to ask.
Comment 1 nm (RETIRED) gentoo-dev 2006-03-07 13:01:56 UTC
(In reply to comment #0)
> I could have had troubles on my system from unwanted users knowing about my set
> up, because I did not set my emails in /etc/mail/aliases.
> 
> I think that the editting of this file should be mentioned in the manual in the
> "Finalizing your Gentoo Installation" section.
> 
> If you need more details concerning how it can be dangerous for
> /etc/mail/aliases to not be edit, feel free to ask.

. . . except that not every user sets up any sort of mail system on their machine. I'd guess that the majority of desktop users don't bother editing this.

Besides, it would be too large and complex for the "Finalizing" section. A much better place for it would be in one of the mail howtos, or possibly its own mail alias mini-guide.

If you're interested in writing such a mini-guide, you're welcome to attach it to this bug. See the GuideXML guide (http://www.gentoo.org/doc/en/xml-guide.xml) and the Documentation Tips'n'Tricks (http://www.gentoo.org/proj/en/gdp/doc/doc-tipsntricks.xml). It sounds like you already have some ideas about what you'd like to see in such a doc.
Comment 2 SpanKY gentoo-dev 2006-03-07 15:09:07 UTC
*** Bug 125407 has been marked as a duplicate of this bug. ***
Comment 3 Łukasz Damentko (RETIRED) gentoo-dev 2006-03-07 17:45:41 UTC
*** Bug 125422 has been marked as a duplicate of this bug. ***
Comment 4 SpanKY gentoo-dev 2006-03-07 19:40:42 UTC
*** Bug 125427 has been marked as a duplicate of this bug. ***
Comment 5 Jan Kundrát (RETIRED) gentoo-dev 2006-03-08 10:56:48 UTC
(In reply to comment #0)
> I could have had troubles on my system from unwanted users knowing about my set
> up, because I did not set my emails in /etc/mail/aliases.

"could have had"?

> I think that the editting of this file should be mentioned in the manual in the
> "Finalizing your Gentoo Installation" section.

Nope, that part of Handbook is talking about installation. Users setting up mailserver should either know what they are doing or read the respective howto.

> If you need more details concerning how it can be dangerous for
> /etc/mail/aliases to not be edit, feel free to ask.

If you have any relevant information regarding such danger on majority of computers, feel free to reopen.
Comment 6 Andrey Falko 2006-03-11 13:41:10 UTC
I was not setting up a mail server. I can assure you that this problem will be prevalent on any machine out of the box.

The danger that was occuring, was that the cron daemon was sending emails to root@<hostname>, but since I have no mail server setup (regular desktop machine), it was sending the mail to servers on the network to which my machine is attached (since I know the people who manage the servers, they showed me the mail that my cron daemon and apache to a non-existent address, root@hostname.). Some of my cron jobs involve entering passwords and the such. I also do not intend to let stangers know of what I am doing on my machine.

Summary: Applications on a machine, when setup by default (such as cron daemons, webservers, or any application that sends to places suchas root@localhost) will send emails that will bounce and which can be tracked down by a malicious user. A user, who is not aware of this might add things to his applications that might initiate the sending of information that might lead to someone being able to conduct malicious things on the improperly configured machine.

If you guys still disagree with me, then I will write up the guide, as Saddler suggested that I do.

P.S. I appologize for those duplicates...I am not sure how that occurred (maybe I clicked submit after forgetting that I already submitted the bug, and due to network lag).
Comment 7 Jan Kundrát (RETIRED) gentoo-dev 2006-03-12 07:26:34 UTC
(In reply to comment #6)
> I was not setting up a mail server. I can assure you that this problem will be
> prevalent on any machine out of the box.
> 
> The danger that was occuring, was that the cron daemon was sending emails to
> root@<hostname>, but since I have no mail server setup (regular desktop
> machine), it was sending the mail to servers on the network to which my machine
> is attached (since I know the people who manage the servers, they showed me the
> mail that my cron daemon and apache to a non-existent address, root@hostname.).

It isn't default setup then.

> Some of my cron jobs involve entering passwords and the such. I also do not
> intend to let stangers know of what I am doing on my machine.

Entering passwords for cronjobs? Huh?

In order for virtual/mta to work, you usually have to edit its configuration file.

You're right, we should mention this one *somewhere* in the docs. Not just setting up aliases, but ssmtp (default vitual/mta) configuration as well.

> Summary: Applications on a machine, when setup by default (such as cron
> daemons, webservers, or any application that sends to places suchas
> root@localhost) will send emails that will bounce and which can be tracked down

Again, default installation doesn't have webserver.
Comment 8 Andrey Falko 2006-03-12 08:12:20 UTC
As soon as I find some time (Friday this week hopefully), I'll write up an aliases doc. Therefore marked to "Later".
Comment 9 Andrey Falko 2006-03-16 23:33:38 UTC
Created attachment 82339 [details]
mail-aliases.xml

I wrote the mini-guide.
Comment 10 Andrey Falko 2006-03-16 23:34:35 UTC
I am not sure if I have to reopen it, so I will anyway.
Comment 11 Andrey Falko 2006-03-16 23:39:36 UTC
Created attachment 82340 [details]
mail-aliases.xml

Attached the wrong file initially.
Comment 12 Andrey Falko 2006-04-16 12:41:09 UTC
It's been a month...just a reminder.
Comment 13 stupendoussteve 2006-06-04 00:03:38 UTC
Is there any reason your system wouldn't have localhost point to 127.0.0.1? I know on any system I have ever set up, root@localhost (or anything relating to localhost) will point to the local system. If I send an email on a just set up system using mail root@localhost, it reacts the same as if I sent it using "mail root", and ends up at the root user. root@localhost is a real email, because localhost is a real hostname.
Comment 14 stupendoussteve 2006-06-04 00:15:09 UTC
Never mind that, I rechecked what I was saying and indeed it seems on some machines root@localhost won't work (though still on any I have set up, it works perfectly). It should not be sending anything out to the network though.
Comment 15 Andrey Falko 2006-06-09 11:22:19 UTC
(In reply to comment #14)
> Never mind that, I rechecked what I was saying and indeed it seems on some
> machines root@localhost won't work (though still on any I have set up, it works
> perfectly). It should not be sending anything out to the network though.
> 

It is going to send it out to the network if no mail server is set-up to recieve the mail. i.e. It is going to look for something to send with, and if it will not find that something it will look over the network...I am very iffy on the details.
Comment 16 nm (RETIRED) gentoo-dev 2006-09-03 16:03:08 UTC
Is any of this still valid? None of the reporters/confirmers have a clear indication of what works or why, so I'm afraid nothing can be committed yet.

Again, if you're setting up a webserver or mailserver of some kind, the guides talk about email setup, and/or you'd better already know what you're doing if you're installing said servers.

There is no mail sent by default on a fresh installation, nor does the system look to send anything over the network.

CCing the net-mail team to provide some feedback; can you please indicate whether or not any of the suggestions in this bug are valid, especially on a fresh Gentoo installation.
Comment 17 Xavier Neys (RETIRED) gentoo-dev 2006-10-24 09:38:39 UTC
Thanks, but no thanks
Comment 18 Andrey Falko 2007-04-24 03:22:27 UTC
Created attachment 117107 [details]
Updated the mini-guide
Comment 19 Andrey Falko 2007-04-24 03:23:27 UTC
I hate to re-open this, but it is still giving me trouble and I still believe that it can cause other users trouble.

I did a fresh install of Gentoo and installed a cron (vixie-cron) daemon as per the handbook. The senior systems administrator reported shortly after, that the box I installed Gentoo on was spewing out emails. I forgot to edit the aliases during installation. Editing them as per my mini-guide fixed the problem. 

I think the best course of action is to mention something in the cron install section: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=9 
I updated the the mini-guide in case you still want to use it.

I promise that this is absolutely the last time I bring this thing up.
Comment 20 nm (RETIRED) gentoo-dev 2007-04-24 04:00:26 UTC
As neysx said in comment #17, and comment #1, comment #5, and comment #7, and a quote from your own comment #15 ("I am very iffy on the details"), thanks, but no thanks. I can't reproduce it on any box. It simply doesn't happen on a fresh install.

If users are setting up a mailserver, they need to read the appropriate guide, or else they otherwise know what they're doing.
Comment 21 Andrej Kacian (RETIRED) gentoo-dev 2007-04-24 05:27:56 UTC
Actually, it does happen quite a lot on a dormitory LAN I am part of. As an admin of a central mailserver, I know immediately when someone new installs Gentoo, as their cronjob e-mails end up bouncing.

I always blamed it on ssmtp not being able to do local delivery, though.