how do I see security logs without turning on sendmail?

[Jerry McAllister]

On Wed, Dec 13, 2006 at 10:51:36PM -0600, Lane wrote:

> Tuareg,
> 
> I can't find the name of the quy who straightened me out on the fuction of 
> squid, but kudo's to him.  
> 
> Clearly squid is not the culprit.
> 
> But I've done some eyeballing on /usr/sbin/periodic, and I think maybe it is 
> the culprit.
> 
> First lets have a look at your /etc/crontab file.  Specifically we are 
> interested in the lines which contain the term "periodic"
> 
> If these lines include parameters, which are passed to /usr/sbin/periodic, 
> then they may be the reason for your periodic emails being sent WITHOUT 
> sendmail being enabled by the normal boot process.
> 
> Take a look at /usr/sbin/periodic.  Note that it uses values 
> in /etc/defaults/periodic.conf as well as any override variables 
> in /etc/rc.conf.  It could also be overridden in other ways such as by 
> defining the value "source_periodic_confs_defined" and "periodic_conf_files" 
> but this should have already showed up in /etc/rc.conf.
> 
> While you are examining /usr/sbin/periodic, look for the term "output"
> 
> In my copy of that script there is a comment that looks like:
> 
> #Where's our output going?
> 
> Then there is a "case" block:
> 
>     case "$output" in
>     /*) pipe="cat >>$output";;
>     "") pipe=cat;;
>     *)  pipe="mail -s '$host ${arg##*/} run output' $output";;
>     esac
> 
> 
> If your predecessor had modified this script or, perhaps overridden it 
> using /etc/defaults/periodic.conf, then he may have either changed the *) 
> default case, or supplied parameters from /etc/crontab 
> (or /etc/defaults/periodic.conf) which could invoke sendmail directly.  If he 
> used override variables, then he would probably also have added a case for ) 
> pipe="sendmail -<arg1> <arg2> <argn>"
> 
> This would account for sendmail being completely disabled in /etc/rc.conf AND 
> for the messages being sent out via sendmail.  However, as I read it, the 
> behaviour you have reported would only occur if /usr/sbin/periodic was 
> actually modified, as the use of the "$output" variables does NOT seem to 
> allow for invocation of sendmail directly.  And I don't believe that "mail" 
> can force invocation of sendmail (although I may be wrong, as the man page 
> does imply that mail will use any means available to get the message out).
> 
> If this is the case (i.e. if "mail" is invoking sendmail directly) you could 
> check it by trying to send mail from the command line on one of the servers 
> that actually does what you want it to do.  If it works, and if there are NO 
> modifications to /usr/sbin/periodic or override defaults 
> in /etc/defaults/periodic.conf, then it will be safe to assume that 
> this "feature" has been properly quashed in 6.x.  You would then need to 
> follow the procedures for setting up sendmail for outgoing-only, as many have 
> already recommended.

I haven't followed this whole thread so I may be jumping in to the
wrong place, but...
Somewhere it is documented - I have read it - that various utilities
such as mail invoke single instances of sendmail to transfer their
 _outgoing only_ messages.   I think, in those cases, sendmail clears
the mail queue before going away.   They do not start sendmail as a
daemon or to receive email.

Probably some searching will find that documentation.

////jerry

> 
> In any case, the behaviour you desire would only work properly by making the 
> appropriate changes to /etc/mail/<hostname|freebsd>.mc, (i.e. SMART_HOST 
> and/or HUB settings), and then running "make install" in /etc/mail. (And this 
> is always going to be the case where sendmail is concerned)
> 
> I hope this information leads you to a resolution, as it has been a great 
> learning experience for me ... but my brain hurts :)
> 
> lane
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"