Arpwatch package break email notifications from other sources
Arpwatch replaces /usr/sbin/sendmail with a symlink to a PHP script that specifically mentioned Arpwatch in the message subject:
This causes notifications from ACME (run by CRON) to come with subjects like this:
wall.example.com - Arpwatch Notification : Cron <root@wall> /usr/local/pkg/acme/acme_command.sh "renewall"
#1 Updated by Jim Pingle over 2 years ago
- Category set to arpwatch
- Priority changed from Normal to Very Low
I wouldn't say those are broken. Those cron notifications didn't work at all without the symlink setup by arpwatch. Firewalls without that package would never see those e-mails since the base system doesn't have a mail program at that location.
So it enables those other notifications, but they are mislabeled.
Notifications using the pfSense SMTP notifications settings, sent by pfSense code and not enabled by that symlink, still work properly.
#2 Updated by Yehuda Katz over 2 years ago
Makes sense since all that sendmail script does is call the internal mail handling.
I see three options:
1. Change the sendmail supplied by arpwatch to be more generic (and possibly add the same to the cron package)
2. Add a separate pfSense-pkg-sendmail
3. Add a generic sendmail script to the core.
I would be happy to supply a patch for any of those. Do you have a preference?
#4 Updated by Jim Pingle over 2 years ago
There is no "stepping on other notifications".
It was not seen before because there was no "sendmail" on the box for cron to use. It doesn't need it, but if it's there it will use it. ACME doesn't need cron to send notifications. The mail message noted above is from cron, not ACME. In this case it only sent a message because the cron script generated some output that it probably didn't need to do, which resulted in the cron message.
arpwatch notifications can't work any other way than by using sendmail as far as I'm aware. If there is some other way to handle them, I'd love to see it.
#5 Updated by Matt Castelein over 2 years ago
It's stepping on it in that it's putting "arpwatch" on an email that has nothing to do with arpwatch.
I'd actually prefer to be able to stop cron sending mail. I guess I can do this by installing the Cron package. Then I can redirect the output to null, and the changes will survive a reboot.
#6 Updated by Joshua Diamant about 2 years ago
I am also having this issue now that I installed arpwatch. I am starting to get emails from cron and other packages since arpwatch created '/bin/sbin/sendmail'
Can we change arpwatch so it installs a local sendmail script in a non-standard directory?
If not, can we change arpwatch to use mailreport instead of /bin/sbin/sendmail?
#8 Updated by Joshua Diamant about 2 years ago
Jim Pingle wrote:
Arpwatch cannot be configured to use an alternate sendmail or mail delivery mechanism.
Cant we edit line 23 of the arpwatch.inc file (https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L23) to point to something other than '/usr/sbin/sendmail'
Can we point it to '/usr/sbin/sendmail-arpwatch' which symlinks to /usr/local/arpwatch/sendmail_proxy.php
#10 Updated by Yehuda Katz about 2 years ago
The Debian port of Arpwatch allows you to specify a different sendmail program, but I don't think that is in the version available here.
Also on Linux, there are several different ways to get the name of the calling process and use that in the script, but I am not sure how to do that in BSD.
If anyone knows, I would be happy to write a sendmail script that can use that information to send better emails.
#11 Updated by Ter Ted about 1 year ago
This issue forced me to uninstall arpwatch, as I can't just handle receive tons of emails from other daemons (like ClamAV) send as Arpwatch. I haven't got any issues before I install Arpwatch. It could be easily fixed by removing/redirecting notifications in cron, but PFSesne doesn't allow to edit cron (it doesn't survive reboot). It was very annoying, I don't understand why it can't be fixed.