Bug 1158493

an old update pulled ssmtp as a dependency

Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64

ssmtp default configuration is to send all mail to a host named mail, if there is a host with that name in your domain, all your cron output is send to a probably random server, it could be your ISP mail server for example.

Fedora 20 documentation promote the feature of a no MTA installed by default, so all cron job output was logged locally and not sent to the local delivery agent. This updated opened all workstations without a MTA to leak cron output to random servers.

I personally think the using ssmtp is not a problem by itself, that the ssmtp should not be configured with a random server, that it should require user intervention to define which server to use, but the ssmtp bug 1157727 related to this problem doesn't consider it a security problem to have bad defaults. So the other option is to revert the change on smartmontools that require a mailer.

There is another sender only package providing /usr/sbin/sendmail, estmp, but this one is not maintained anymore (at its web site).

I send an email to the devel list if more discussion is needed https://lists.fedoraproject.org/pipermail/devel/2014-October/203781.html not responses yet

redhat-lsb pulls ssmtp too, so there should be some kind of discussion of what to do before I post another bug for redhat-lsb, be use another mailer, remove the dependencies, or change ssmtp defaults.

The security flag was removed for the ssmtp bug, so I am not flagging it like that, I still think this is a security problem.