Debian Bug report logs - #557948
ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven <sven@timegate.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Wed, 25 Nov 2009 14:07:41 +0100

Package: ssmtp
Version: 2.64-1
Severity: grave
Justification: renders package unusable


Hi,
2.64-1 stopped working here while telneting to the mailhub still
works as does downgrading to 2.63-1.1.

Error message is alway the following:
sven@marvin:~$ echo foo|mail -s bar sven@timegate.de
send-mail: Cannot open mailhub:25


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ssmtp depends on:
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libgnutls26                   2.8.5-2    the GNU TLS library - runtime libr

ssmtp recommends no packages.

ssmtp suggests no packages.

-- debconf information:
  ssmtp/overwriteconfig: true
  ssmtp/mailname:
  ssmtp/mailhub: mail.hx.lan
  ssmtp/fromoverride: true
  ssmtp/hostname: marvin.hx.lan
  ssmtp/root: sven@hx.lan
  ssmtp/rewritedomain:
  ssmtp/port: 25

Message #10 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Sven <sven@timegate.de>, 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Thu, 26 Nov 2009 02:30:23 +0000

On Wed, Nov 25, 2009 at 02:07:41PM +0100, Sven wrote:
>2.64-1 stopped working here while telneting to the mailhub still
>works as does downgrading to 2.63-1.1.
>
>Error message is alway the following:
>sven@marvin:~$ echo foo|mail -s bar sven@timegate.de
>send-mail: Cannot open mailhub:25

Please read bug report #500454:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454

To fix your problem, add the username you're using to run ssmtp to the
mail group list in /etc/groups. Something like:

grep mail /etc/group
mail:x:8:sven

Message #15 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Sven Hoexter <sven@timegate.de>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: control@bugs.debian.org, 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Thu, 26 Nov 2009 08:40:20 +0100

severity 557948 normal
thanks

On Thu, Nov 26, 2009 at 02:30:23AM +0000, Aníbal Monsalve Salazar wrote:

Hi,

> Please read bug report #500454:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454

Thanks for the info. Maybe that should be added to README.Debian?
Or is it documented elsewhere and I simply missed that?

Sven
-- 
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - 03:45: No sleep]

Message #22 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Mon, 7 Dec 2009 13:32:17 -0600

severity 557948 serious
thanks

It is not OK to break the system's mail silently on upgrade and this
should not have gone into testing.

There was no README.Debian entry that apt-listchanges could have alerted
me to, no changelog entry noting the implication of the fix for bug
#500454, and no documentation along with the package that would have
suggested I needed to add all users who want to send mail to the mail
group.  Having to search through bug reports to find out why an
important system component is completely broken is not what I expect
from Debian testing.

Message #29 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Sylvain Le Gall <gildor@debian.org>

To: Debian Bug Tracking System <557948@bugs.debian.org>

Subject: ssmtp: Split configuration or give more informations

Date: Wed, 16 Dec 2009 10:05:47 +0100

Package: ssmtp
Version: 2.64-1
Severity: normal


Hello,

I am just hit by this bug. I understand the fix, and agree with the
problem described in #500454. 

However the error message:
"Fails to send any mail with send-mail: Cannot open mailhub:25"
is quite not helpful for debugging this.

The first solution would to have a more explicit error message:
"File /etc/ssmtp/ssmtp.conf exists but cannot be read, try adding $USER
to group mail" for example

The second solution, for a smoother upgrade is to split configuration
between ssmtp.conf and ssmtp.conf.secret. This require more work but
will allow people that don't use SMTP AUTH to keep the same ssmtp.conf
file and for the other to not disclose their information (they should be
stored in .secret). 

Then there is 3 cases:
- no Auth* keyword in ssmtp.conf -> keep it this way
- package ssmtp detect Auth* in ssmtp.conf -> either move these fields
  to .secret or issue a warning
- program ssmtp.conf detect that .secret exists but cannot be read ->
  error message "File /etc/ssmtp/ssmtp.conf.secret exists but cannot be
  read, try adding $USER to group mail"
  
Note that I run several servers that communicate with me only through
mails. Due to the inability to send mails with ssmtp, I was not able to
detect that there was a problem.

I think this is a quite big issue that should be upgraded to
severity:grave (but this is my POV).

Thanks for maintaining ssmtp, this is a great tool
Regards
Sylvain Le Gall

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-vserver-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ssmtp depends on:
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libgnutls26                   2.8.5-2    the GNU TLS library - runtime libr

ssmtp recommends no packages.

ssmtp suggests no packages.

-- debconf information:
  ssmtp/overwriteconfig: true
  ssmtp/mailname:
* ssmtp/mailhub: smtp.gallu.homelinux.org
* ssmtp/fromoverride: true
* ssmtp/hostname: yocto.gallu.homelinux.org
* ssmtp/root: postmaster
* ssmtp/rewritedomain: gallu.homelinux.org
* ssmtp/port: 25

Message #36 received at 557948@bugs.debian.org (full text, mbox, reply):

From: "Rémi Denis-Courmont" <remi@remlab.net>

To: Aníbal Monsalve Salazar <anibal@debian.org>, control@bugs.debian.org

Cc: Sven <sven@timegate.de>, 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Thu, 7 Jan 2010 18:05:35 +0200

severity 557948 serious
thanks

Le jeudi 26 novembre 2009 04:30:23 Aníbal Monsalve Salazar, vous avez écrit :
> On Wed, Nov 25, 2009 at 02:07:41PM +0100, Sven wrote:
> >2.64-1 stopped working here while telneting to the mailhub still
> >works as does downgrading to 2.63-1.1.
> >
> >Error message is alway the following:
> >sven@marvin:~$ echo foo|mail -s bar sven@timegate.de
> >send-mail: Cannot open mailhub:25
> 
> Please read bug report #500454:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454
> 
> To fix your problem, add the username you're using to run ssmtp to the
> mail group list in /etc/groups. Something like:
> 
> grep mail /etc/group
> mail:x:8:sven

The mail group has read/write access to /var/mail/* and is intended for the 
mail daemons. For instance, Dovecot IMAP runs as the dovecot user ID, with 
mail group permission.

Adding all users to the mail group is not just impractical, it is a worse 
security vulnerability than #500454. All users would be able to read and 
modify other's mailboxes. That is not to deny that #500454 is a security 
problem. But putting users in the mail group is not at all a solution.

-- 
Rémi Denis-Courmont
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis

Message #41 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Sven Hoexter <sven@timegate.de>

To: Rémi Denis-Courmont <remi@remlab.net>

Cc: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Fri, 8 Jan 2010 15:06:40 +0100

On Thu, Jan 07, 2010 at 06:05:35PM +0200, Rémi Denis-Courmont wrote:

Hi,

> The mail group has read/write access to /var/mail/* and is intended for the 
> mail daemons. For instance, Dovecot IMAP runs as the dovecot user ID, with 
> mail group permission.

I wouldn't overrate this issue though it's a reasonable concern.
But on systems where you run MTAs such as ssmtp you usually don't store
mails locally in /var/mail/.

Sven
-- 
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - 03:45: No sleep]

Message #46 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Rémi Denis-Courmont <remi@remlab.net>

To: Sven Hoexter <sven@timegate.de>

Cc: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp: Fails to send any mail with send-mail: Cannot open mailhub:25

Date: Fri, 08 Jan 2010 15:41:41 +0100

On Fri, 8 Jan 2010 15:06:40 +0100, Sven Hoexter <sven@timegate.de> wrote:
>> The mail group has read/write access to /var/mail/* and is intended for
>> the mail daemons. For instance, Dovecot IMAP runs as the dovecot user
>> ID, with mail group permission.
> 
> I wouldn't overrate this issue though it's a reasonable concern.
> But on systems where you run MTAs such as ssmtp you usually don't store
> mails locally in /var/mail/.

Even then... If you need to give read permission the ssmtp configuration to
users, you are almost back to square one with #500454. The authentication
token is effectively visible to (real) all users.

-- 
Rémi Denis-Courmont
http://www.remlab.net
http://fi.linkedin.com/in/remidenis

Message #57 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Sune Vuorela <Sune@vuorela.dk>

To: debian-ctte@lists.debian.org, 557948@bugs.debian.org

Subject: Re: ssmtp severity 557948 normal

Date: Mon, 11 Jan 2010 23:48:18 +0100

[Message part 1 (text/plain, inline)]

(resending to correct address)
reassign 557948 ssmtp,tech-ctte
thanks

On Monday 11 January 2010 22:39:19 Aníbal Monsalve Salazar wrote:
> package ssmtp
> severity 557948 normal
> stop

Dear tech-ctte,

A while ago, ssmtp started requiring users to be in group:mail to be able to 
send emails. As "mail" traditionally is the group (and user) for mail 
transporting in general, as this is how /var/mail/* is governed.

Several users seemed this bug should be at RC severity, but now the maintainer 
disagrees.

I ask you, tech-ctte, please override the maintainer in the following two 
cases:
1) the severity of bug 557948 should be at a release critical level and
2) ssmtp must not require users to be member of group:mail

Thanks in advance

/Sune
-- 
How to reset a command prompt?

First you neither must reset the pin on the PCI periferic, nor can ever 
overclock a directory to delete from the terminale to a 6X TCP/IP folder to 
the monitor.

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 557948@bugs.debian.org, ssmtp@packages.debian.org

Subject: Re: ssmtp severity 557948 normal

Date: Mon, 11 Jan 2010 16:10:28 -0800

Sune Vuorela <Sune@vuorela.dk> writes:

> A while ago, ssmtp started requiring users to be in group:mail to be
> able to send emails. As "mail" traditionally is the group (and user) for
> mail transporting in general, as this is how /var/mail/* is governed.

At first glance, the analysis in the bug log from Rémi Denis-Courmont
appears to be correct to me.  Group mail is a privileged system group
which has read/write access to everyone's mail in one of the two mail
permission configurations that Debian explicitly supports (see Policy
11.6).  It also allows a user in that group to delete anyone else's mail
spool due to the default permissions on /var/mail.  Overloading that group
to control who can send outgoing mail looks like a bad conflation of two
different privileges that will lead to users being given excessive and
unexpected privileges.

However, all that's happened to date in the public bug log is that the
maintainer has changed the severity; there's no wontfix tag or indication
that the bug won't be fixed.

Aníbal, could you give some more background on your plans here?  I don't
think the severity is really the relevant question; the question is more
whether you intend to keep the current behavior or if you already have
plans to change it.  If you plan to change it, then it probably doesn't
matter a great deal what the bug severity is set to.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #67 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Russ Allbery <rra@debian.org>, 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp severity 557948 normal

Date: Tue, 12 Jan 2010 00:41:42 +0000

[Message part 1 (text/plain, inline)]

On Mon, Jan 11, 2010 at 04:10:28PM -0800, Russ Allbery wrote:
>Sune Vuorela <Sune@vuorela.dk> writes:
>
>>A while ago, ssmtp started requiring users to be in group:mail to be
>>able to send emails. As "mail" traditionally is the group (and user)
>>for mail transporting in general, as this is how /var/mail/* is
>>governed.
>
>At first glance, the analysis in the bug log from Rémi Denis-Courmont
>appears to be correct to me.  Group mail is a privileged system group
>which has read/write access to everyone's mail in one of the two mail
>permission configurations that Debian explicitly supports (see Policy
>11.6).  It also allows a user in that group to delete anyone else's
>mail spool due to the default permissions on /var/mail.  Overloading
>that group to control who can send outgoing mail looks like a bad
>conflation of two different privileges that will lead to users being
>given excessive and unexpected privileges.

I didn't want to create yet another group. Are you suggesting to create
a new one just for ssmtp?

>However, all that's happened to date in the public bug log is that the
>maintainer has changed the severity; there's no wontfix tag or
>indication that the bug won't be fixed.
>
>Aníbal, could you give some more background on your plans here?  I
>don't think the severity is really the relevant question; the question
>is more whether you intend to keep the current behavior or if you
>already have plans to change it.  If you plan to change it, then it
>probably doesn't matter a great deal what the bug severity is set to.

I would like to fix it by ecrypting the password but it'll take me some
time. If someone could provide ideas/hints/patches they will be very
much appreciated.

>-- 
>Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

[signature.asc (application/pgp-signature, inline)]

Message #72 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp severity 557948 normal

Date: Mon, 11 Jan 2010 17:13:32 -0800

Aníbal Monsalve Salazar <anibal@debian.org> writes:
> On Mon, Jan 11, 2010 at 04:10:28PM -0800, Russ Allbery wrote:

>> At first glance, the analysis in the bug log from Rémi Denis-Courmont
>> appears to be correct to me.  Group mail is a privileged system group
>> which has read/write access to everyone's mail in one of the two mail
>> permission configurations that Debian explicitly supports (see Policy
>> 11.6).  It also allows a user in that group to delete anyone else's
>> mail spool due to the default permissions on /var/mail.  Overloading
>> that group to control who can send outgoing mail looks like a bad
>> conflation of two different privileges that will lead to users being
>> given excessive and unexpected privileges.

> I didn't want to create yet another group. Are you suggesting to create
> a new one just for ssmtp?

I assume the underlying difficulty is that ssmtp doesn't have a privilege
separation built into the software the way that most UNIX MTAs do, where
there's a daemon running with elevated privileges that the client talks
to?

Creating a separate group for ssmtp seems like a better solution than
using the mail group, yes.  Obviously, it would be ideal if there were
some way to not require users be added to a group to be able to use ssmtp,
since I think that's the expected MTA behavior and it sounds like that
requirement isn't an intentional feature.  But unless the SMTP
authentication can be done as a separate helper process that can run with
different privileges, it's hard to find a way to do that.

> I would like to fix it by ecrypting the password but it'll take me some
> time. If someone could provide ideas/hints/patches they will be very
> much appreciated.

I think that just moves the problem, though, doesn't it?  The ssmtp
process needs to have access to the encryption key to decrypt the password
if it uses any authentication mechanism that can't use pre-generated
digests, which means that now you have the problem that the ssmtp process
needs access to the key file to make sense of the password.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #77 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Russ Allbery <rra@debian.org>

Cc: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp severity 557948 normal

Date: Tue, 12 Jan 2010 01:46:12 +0000

[Message part 1 (text/plain, inline)]

On Mon, Jan 11, 2010 at 05:13:32PM -0800, Russ Allbery wrote:
>
>I assume the underlying difficulty is that ssmtp doesn't have a
>privilege separation built into the software the way that most UNIX
>MTAs do, where there's a daemon running with elevated privileges that
>the client talks to?

Sorry Russ but was that a question or a statement?

>Creating a separate group for ssmtp seems like a better solution than
>using the mail group, yes.

Okay. I'll try that approach to fix the bug.

>Obviously, it would be ideal if there were some way to not require
>users be added to a group to be able to use ssmtp, since I think that's
>the expected MTA behavior and it sounds like that requirement isn't an
>intentional feature.  But unless the SMTP authentication can be done as
>a separate helper process that can run with different privileges, it's
>hard to find a way to do that.

Thanks.

[signature.asc (application/pgp-signature, inline)]

Message #82 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: 557948@bugs.debian.org

Subject: Re: Bug#557948: ssmtp severity 557948 normal

Date: Mon, 11 Jan 2010 18:13:47 -0800

Aníbal Monsalve Salazar <anibal@debian.org> writes:
> On Mon, Jan 11, 2010 at 05:13:32PM -0800, Russ Allbery wrote:

>> I assume the underlying difficulty is that ssmtp doesn't have a
>> privilege separation built into the software the way that most UNIX
>> MTAs do, where there's a daemon running with elevated privileges that
>> the client talks to?

> Sorry Russ but was that a question or a statement?

It's a question.  I've never used ssmtp personally, so I'm just guessing
at its internal architecture.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #87 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Hector Oron <hector.oron@gmail.com>

To: Debian Bug Tracking System <557948@bugs.debian.org>

Subject: hello, bug fix: make g+s and gid mail for /usr/sbin/ssmtp

Date: Thu, 28 Jan 2010 14:59:05 +0100

Package: ssmtp
Version: 2.64-1
Severity: normal


Hello,

  If this mail gets to you, I have fixed this problem thanks to Myon by making
/usr/sbin/ssmtp gid mail and g+s

-rwxr-sr-x 1 root mail 36168 24 nov 04:33 /usr/sbin/ssmtp

Kind regards,
-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-vserver-amd64 (SMP w/2 CPU cores)
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ssmtp depends on:
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
ii  libgnutls26                   2.8.5-2    the GNU TLS library - runtime libr

ssmtp recommends no packages.

ssmtp suggests no packages.

-- debconf information excluded

Message #92 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: Sune Vuorela <Sune@vuorela.dk>, 557948@bugs.debian.org

Subject: Severity of 557948 and plans for this bug

Date: Mon, 1 Mar 2010 14:21:37 -0800

Is there still a request for the ctte to override the maintainer on
the severity of this bug?

FWICT, Anibal agrees that this is a bug, and currently the only issue
is how to best fix both it and #500454.


Don Armstrong

-- 
I don't care how poor and inefficient a little country is; they like
to run their own business.  I know men that would make my wife a
better husband than I am; but, darn it, I'm not going to give her to
'em.
 -- The Best of Will Rogers

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #97 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Sune Vuorela <Sune@vuorela.dk>

To: Don Armstrong <don@debian.org>

Cc: 557948@bugs.debian.org

Subject: Re: Severity of 557948 and plans for this bug

Date: Mon, 1 Mar 2010 23:51:18 +0100

[Message part 1 (text/plain, inline)]

On Monday 01 March 2010 23:21:37 Don Armstrong wrote:
> Is there still a request for the ctte to override the maintainer on
> the severity of this bug?
> 
> FWICT, Anibal agrees that this is a bug, and currently the only issue
> is how to best fix both it and #500454.

Hi

As I consider this issue much more severe than #500454 and it looks like 
*nothing* has happened. Even a revert would have been better. And at the same 
time maintainer has a track record of ignoring non-rc bugs.

Please override the maintainer.

/Sune
-- 
How can I do for unmounting the wordprocessor on the 53X hardware?

You must click a kernel in order to insert a hard disk on the SIMM.

[signature.asc (application/pgp-signature, inline)]

Message #102 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: Sune Vuorela <Sune@vuorela.dk>, 557948@bugs.debian.org

Subject: Re: Bug#557948: Severity of 557948 and plans for this bug

Date: Mon, 1 Mar 2010 15:49:08 -0800

On Mon, 01 Mar 2010, Sune Vuorela wrote:
> On Monday 01 March 2010 23:21:37 Don Armstrong wrote:
> > Is there still a request for the ctte to override the maintainer on
> > the severity of this bug?
> > 
> > FWICT, Anibal agrees that this is a bug, and currently the only issue
> > is how to best fix both it and #500454.
> 
> As I consider this issue much more severe than #500454 and it looks
> like *nothing* has happened. Even a revert would have been better.
> And at the same time maintainer has a track record of ignoring
> non-rc bugs.
> 
> Please override the maintainer.

Do you expect the ctte to override the severity or demand a specific
fix? The former can be done, but the latter will (almost certainly)
require a patch before that happens.


Don Armstrong

-- 
Guns Don't Kill People.
*I* Kill People.

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #107 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Sune Vuorela <Sune@vuorela.dk>, 557948@bugs.debian.org

Subject: Re: Bug#557948: Severity of 557948 and plans for this bug

Date: Thu, 4 Mar 2010 06:14:06 +1100

[Message part 1 (text/plain, inline)]

On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
>On Mon, 01 Mar 2010, Sune Vuorela wrote:
>>On Monday 01 March 2010 23:21:37 Don Armstrong wrote:
>>>Is there still a request for the ctte to override the maintainer on
>>>the severity of this bug?
>>>
>>>FWICT, Anibal agrees that this is a bug, and currently the only issue
>>>is how to best fix both it and #500454.
>>
>>As I consider this issue much more severe than #500454 and it looks
>>like *nothing* has happened. Even a revert would have been better.

I was about to revert it yesterday but was working on a new libpng RC
security bug.

>>And at the same time maintainer has a track record of ignoring
>>non-rc bugs.
>>
>>Please override the maintainer.
>
>Do you expect the ctte to override the severity or demand a specific
>fix? The former can be done, but the latter will (almost certainly)
>require a patch before that happens.

I plan to fix it later in the evening.

>Don Armstrong
>
>-- 
>Guns Don't Kill People.
>*I* Kill People.
>
>http://www.donarmstrong.com              http://rzlab.ucr.edu

[signature.asc (application/pgp-signature, inline)]

Message #110 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: 557948@bugs.debian.org

Subject: Re: Bug#557948: Severity of 557948 and plans for this bug

Date: Mon, 22 Mar 2010 12:15:05 -0700

On Thu, 04 Mar 2010, Aníbal Monsalve Salazar wrote:
> On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
> >Do you expect the ctte to override the severity or demand a specific
> >fix? The former can be done, but the latter will (almost certainly)
> >require a patch before that happens.
> 
> I plan to fix it later in the evening.

Anibal: what's the current status of this? Can we assume that the
underlying issue will be resolved shortly?


Don Armstrong

-- 
Everyone has to die. And in a hundred years nobody's going to inquire
just how most people died. The best thing is to do it in the way that
strikes your fancy most.
 -- Kenzaburō Ōe _Silent Cry_ p5

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #115 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: 557948@bugs.debian.org

Subject: Re: Bug#557948: Severity of 557948 and plans for this bug

Date: Wed, 31 Mar 2010 14:01:36 -0700

On Mon, 22 Mar 2010, Don Armstrong wrote:
> On Thu, 04 Mar 2010, Aníbal Monsalve Salazar wrote:
> > On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
> > >Do you expect the ctte to override the severity or demand a specific
> > >fix? The former can be done, but the latter will (almost certainly)
> > >require a patch before that happens.
> > 
> > I plan to fix it later in the evening.
> 
> Anibal: what's the current status of this? Can we assume that the
> underlying issue will be resolved shortly?

I haven't heard from Anibal, and I don't see any public progress
regarding this; I think we may need to actually address the severity
of this bug. [At any point, if it gets fixed, it'll obviate our
discussion.]

ssmtp requires access to configuration files which may contain
authentication information necessary to connect to remote mail
servers.

As such, these files should not be readable by normal users, but
ideally only ssmtp (or possibly users who are authorized to send
outgoing mail.)

Currently, these files are root:mail 640, and the configuration
requests that users be added to the mail group to be able to send
mail. Unfortunatly, this ends up in the users in this group being able
to read and write to all mail spools by default.

We have the following options if we want to just decide the severity:

1. The package must not be released with this bug; it should have a
severity of at least serious.

2. The package can be released with this bug; it does not need a
severity of serious or greater. The maintainer can elevate the
severity.

3. Further discussion

I'd like to at least resolve this part of the bug by calling for a
vote in the next 48 hours. I think that we can actually discuss a fix
for this bug later if the maintainer (or someone who uses ssmtp who
wants to submit a patch) has any questions after that fact.


Don Armstrong

-- 
Clothes make the man. Naked people have little or no influence on
society.
 -- Mark Twain 

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #120 received at 557948-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 557948-close@bugs.debian.org

Subject: Bug#557948: fixed in ssmtp 2.64-4

Date: Thu, 08 Apr 2010 07:32:09 +0000

Source: ssmtp
Source-Version: 2.64-4

We believe that the bug you reported is fixed in the latest version of
ssmtp, which is due to be installed in the Debian FTP archive:

ssmtp_2.64-4.debian.tar.bz2
  to main/s/ssmtp/ssmtp_2.64-4.debian.tar.bz2
ssmtp_2.64-4.dsc
  to main/s/ssmtp/ssmtp_2.64-4.dsc
ssmtp_2.64-4_amd64.deb
  to main/s/ssmtp/ssmtp_2.64-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 557948@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated ssmtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Apr 2010 16:17:50 +1000
Source: ssmtp
Binary: ssmtp
Architecture: source amd64
Version: 2.64-4
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 ssmtp      - extremely simple MTA to get mail off the system to a mail hub
Closes: 557948 559900 560397 569003 569654 570971 572154 576535
Changes: 
 ssmtp (2.64-4) unstable; urgency=low
 .
   * Set back permissions as before 2.64-1
     Closes: 570971, 572154, 559900, 557948, 560397
   * Fix pending l10n issues. Debconf translations:
     - Vietnamese (Clytie Siddall). Closes: 569003, 569654
     - Brazilian Portuguese (Jef Lui). Closes: 576535
Checksums-Sha1: 
 04601ef74065fabd3af37cbcae839eba57c7cb21 1769 ssmtp_2.64-4.dsc
 d9a4da995141ce97a07957791f4ce2d428de4e3b 33966 ssmtp_2.64-4.debian.tar.bz2
 b1da50572e774e7c251ada6926ad47061ac3a082 54832 ssmtp_2.64-4_amd64.deb
Checksums-Sha256: 
 73762393f65adf8a633a3aec80bcc830e58c6ab2aad5be52ea002d83592c1bd2 1769 ssmtp_2.64-4.dsc
 b6053112201b11ce31d6ae3ce00be63026bb656a74586a6fec522ed7c5723cf8 33966 ssmtp_2.64-4.debian.tar.bz2
 d15ab9e26f9e41d695c25668317355681e9f4326b208832b9947f0e4df36eb76 54832 ssmtp_2.64-4_amd64.deb
Files: 
 7df20255a033ed85e505f9c273dcd5ce 1769 mail extra ssmtp_2.64-4.dsc
 abf91cfabaf8142e2642532dffdfa88b 33966 mail extra ssmtp_2.64-4.debian.tar.bz2
 d144125e8fd52394bf01e693b30b2d4a 54832 mail extra ssmtp_2.64-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLvYMkAAoJEHxWrP6UeJfYPkoQAJJD/esWghuhzd3IabYLWsvt
KoDNbe8Vb0p5cvxYTRrqlflZmJHKiGU3YyQ8lXsiafjtUHalFxErJUcB+O2AJXJU
jfrvVwn84O1ec3Uv/eV/eMTkStrJC9wxGuRI0mXVWMn6mo+fvwi7/rko/lrTsHym
FA10cIEZUH6zw5uEQZ6/oHFenuRDHdTv/GcX2UxeOGnNcK7h0lnm1OEpnSAeoT8I
jfzPkMTeRm9mxWdKT/oYcEzoNj4w9KgqxbG401GbKvBc1l7tn0phwkZhF4mANgHq
Y3y28GRbuY9JVqvmSJrG/23AKytYcbQ1oqYAh/GI9SEdhtD/xBQwmVy2KleBZovg
3hBvWCP3ua9qLR+BKPNjtw8gDXpTRD7iI9qgjalyRpbkDaIhK6xlwnZvX6xMnbww
wQR/bA2koM9ohuDHzWLRVqdWw/cFTiwIMR2aZXBQ8/i5n6zcorw7Je6Fz012tX/y
OiYpizBpKOgKWLyvl+p5wTgCLo5DCvuslpGNgA/kW2NyeUANBIU/lay7a62QyPF7
wPg2lSp63F5ayodxS1k/U15mnb8slY73ABmOnvYnBNw1MnSSZkSMprKXXlyfXX4c
2T1ngrNrqm1UEY4P9eOytFNF0iYd2+wy8yNRoknCurUsA1y67iZkAU2GZ+Np6sU2
ALm7afl0IbLgIkJ7vkiq
=dRHv
-----END PGP SIGNATURE-----

Message #130 received at 557948@bugs.debian.org (full text, mbox, reply):

From: Hector Oron <hector.oron@gmail.com>

To: Debian Bug Tracking System <557948@bugs.debian.org>

Subject: Re: hello, bug fix: make g+s and gid mail for /usr/sbin/ssmtp

Date: Mon, 12 Apr 2010 13:46:48 +0200

Hello,

>  If this mail gets to you, I have fixed this problem thanks to Myon by making
> /usr/sbin/ssmtp gid mail and g+s
>
> -rwxr-sr-x 1 root mail 36168 24 nov 04:33 /usr/sbin/ssmtp

I forgot to mention that I have /etc/ssmtp/ssmtp.conf like this:

$ ls -l /etc/ssmtp/ssmtp.conf
-rw-r----- 1 root mail 802 12 abr 13:22 /etc/ssmtp/ssmtp.conf

-- 
 Héctor Orón

"Our Sun unleashes tremendous flares expelling hot gas into the Solar
System, which one day will disconnect us."

Send a report that this bug log contains spam.