Project

General

Profile

Actions

Bug #8454

open

Arpwatch package break email notifications from other sources

Added by Yehuda Katz almost 6 years ago. Updated about 1 year ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
arpwatch
Target version:
-
Start date:
04/12/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.3
Affected Plus Version:
Affected Architecture:
All

Description

Arpwatch replaces /usr/sbin/sendmail with a symlink to a PHP script that specifically mentioned Arpwatch in the message subject:
https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217

This causes notifications from ACME (run by CRON) to come with subjects like this:

wall.example.com - Arpwatch Notification : Cron <root@wall> /usr/local/pkg/acme/acme_command.sh "renewall"

Actions #1

Updated by Jim Pingle almost 6 years ago

  • Category set to arpwatch
  • Priority changed from Normal to Very Low

I wouldn't say those are broken. Those cron notifications didn't work at all without the symlink setup by arpwatch. Firewalls without that package would never see those e-mails since the base system doesn't have a mail program at that location.

So it enables those other notifications, but they are mislabeled.

Notifications using the pfSense SMTP notifications settings, sent by pfSense code and not enabled by that symlink, still work properly.

Actions #2

Updated by Yehuda Katz almost 6 years ago

Makes sense since all that sendmail script does is call the internal mail handling.

I see three options:
1. Change the sendmail supplied by arpwatch to be more generic (and possibly add the same to the cron package)
2. Add a separate pfSense-pkg-sendmail
3. Add a generic sendmail script to the core.

I would be happy to supply a patch for any of those. Do you have a preference?

Actions #3

Updated by Matt Castelein over 5 years ago

I don't like how this works either. The arpwatch package shouldn't be stepping on other notifications. Additionally, if ACME is supposed to be able to send notifications but cannot, that's a defect as well.

Actions #4

Updated by Jim Pingle over 5 years ago

There is no "stepping on other notifications".

It was not seen before because there was no "sendmail" on the box for cron to use. It doesn't need it, but if it's there it will use it. ACME doesn't need cron to send notifications. The mail message noted above is from cron, not ACME. In this case it only sent a message because the cron script generated some output that it probably didn't need to do, which resulted in the cron message.

arpwatch notifications can't work any other way than by using sendmail as far as I'm aware. If there is some other way to handle them, I'd love to see it.

Actions #5

Updated by Matt Castelein over 5 years ago

It's stepping on it in that it's putting "arpwatch" on an email that has nothing to do with arpwatch. I'd actually prefer to be able to stop cron sending mail. I guess I can do this by installing the Cron package. Then I can redirect the output to null, and the changes will survive a reboot.

Actions #6

Updated by Joshua Diamant over 5 years ago

I am also having this issue now that I installed arpwatch. I am starting to get emails from cron and other packages since arpwatch created '/bin/sbin/sendmail'

Can we change arpwatch so it installs a local sendmail script in a non-standard directory?

If not, can we change arpwatch to use mailreport instead of /bin/sbin/sendmail?

Actions #7

Updated by Jim Pingle over 5 years ago

Arpwatch cannot be configured to use an alternate sendmail or mail delivery mechanism.

Actions #8

Updated by Joshua Diamant over 5 years ago

Jim Pingle wrote:

Arpwatch cannot be configured to use an alternate sendmail or mail delivery mechanism.

Cant we edit line 23 of the arpwatch.inc file (https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L23) to point to something other than '/usr/sbin/sendmail'

Can we point it to '/usr/sbin/sendmail-arpwatch' which symlinks to /usr/local/arpwatch/sendmail_proxy.php

Actions #9

Updated by Jim Pingle over 5 years ago

No, because that only manages the name of the link created by the script, it does not control what arpwatch uses.

Actions #10

Updated by Yehuda Katz over 5 years ago

The Debian port of Arpwatch allows you to specify a different sendmail program, but I don't think that is in the version available here.
Also on Linux, there are several different ways to get the name of the calling process and use that in the script, but I am not sure how to do that in BSD.
If anyone knows, I would be happy to write a sendmail script that can use that information to send better emails.

Actions #11

Updated by Ter Ted over 4 years ago

This issue forced me to uninstall arpwatch, as I can't just handle receive tons of emails from other daemons (like ClamAV) send as Arpwatch. I haven't got any issues before I install Arpwatch. It could be easily fixed by removing/redirecting notifications in cron, but PFSesne doesn't allow to edit cron (it doesn't survive reboot). It was very annoying, I don't understand why it can't be fixed.

Actions #12

Updated by Christian Rhomberg over 4 years ago

Hi, is there a chance this problem will be fixed?

Actions #13

Updated by Beat Siegenthaler over 2 years ago

Ter Ted wrote in #note-11:

It was very annoying, I don't understand why it can't be fixed.

Agree. It is always fun searching solutions for annoying problems an then: Known since "over 3 years"

pfsense.int - Arpwatch Notification : [Zeek] Connection summary from 11:00:00-12:00:00

Actions #14

Updated by → luckman212 over 1 year ago

Is this still current as of 22.05? I just started playing with Arpwatch. What exactly does the "Disable Cron emails" option do? edit: nvm, https://redmine.pfsense.org/issues/11366

Actions #15

Updated by Jan-Peter Koopmann about 1 year ago

I am getting the same problem even though "Disable cron" is on and is correctly referenced in the PHP. It reappeared for me in pfsense+ 23.01.

Actions

Also available in: Atom PDF