Questions about rkhunter with ISPConfig

My understanding is that Rootkit Hunter is optional but strongly recommended. Is that correct?

Is there any reason not to run RKH and chrootkit on the same system?

RKHunter installs Postfix, which is a bit heavy:
Does anyone install another mail transport before RKHunter?
Is there some reason related to ISPConfig that we might want Postfix to be the MTA there?
Is there any reason why we might want to install Postfix separately in the ISPConfig Mail Server component? Or is it just as good to let rkhunter install Postfix? (The apt-get install of postfix later should be ignored but below I have questions about the configuration.)
(Note that if rkhunter is installed during system installation that the Postfix-related notes in Perfect docs are not the same. Someone doing the install should recognize that.)

I understand some admins use ISPProtect (for-fee). And there are many other similar applications. But are there any other packages like RKH that are very commonly used or recommended for use with ISPConfig? As an example, ClamAV is commonly used with ISPConfig and it can do file system scanning.
Please: I'm not looking for open commentary/anecdotes like "I use this". I'm asking about security software that is not in the Perfect docs, but may be commonly used and/or recommended for ISPConfig.

EDIT : Additional questions :
Ref the most recent Perfect guide : Section 6 about installing Postfix.
Should the exact same Postfix instructions be followed in any system where rkhunter is installed with postfix?
And to be very specific, should the specified mail server fqdn reference the actual mail.mydomain.tld? Or, where Postfix is just being added as a MTA/relay, should that be myhost.mydomain.tld? I'm guessing this should be the live/full mail.domain.tld, otherwise, how does it know which server to use for relay?

I'm looking for docs on these topics. Links are certainly welcome.

Thanks!

 

I believe it is not strongly recommended, at least it is not recommended any more strongly than other packages.

No.

That is not actually the case. RKHunger recommends mail-transport-agent, but should work without since it is recommend not depends, and it does not have to be postfix. So if postfix is heavy, install something else. See below:

Code:

# LANG=C apt depends rkhunter
rkhunter
 |PreDepends: debconf (>= 0.5)
  PreDepends: <debconf-2.0>
    cdebconf
    debconf
  Depends: binutils
  Depends: file
  Depends: lsof
  Depends: net-tools
  Depends: ucf (>= 0.28)
  Depends: <perl:any>
    perl
 |Recommends: bsd-mailx
 |Recommends: mailutils
 |Recommends: heirloom-mailx
  Recommends: <mailx>
    bsd-mailx
    mailutils
 |Recommends: <default-mta>
    exim4-daemon-light
  Recommends: <mail-transport-agent>
    citadel-server
    courier-mta
    esmtp-run
    msmtp-mta
    nullmailer
    opensmtpd
    postfix
    qmail-run
    sendmail-bin
    ssmtp
    dma
    exim4-daemon-heavy
    exim4-daemon-light
  Recommends: iproute2
  Recommends: unhide
  Recommends: unhide.rb
 |Recommends: wget
  Recommends: curl
  Suggests: liburi-perl
  Suggests: libwww-perl
  Suggests: powermgmt-base

(Fixed above listing to be in english. It is from Debian 9 Stretch running ISPConfig.)
I can not see how rkhunter, whether installed or not, affects postfix configuration.

 

About rkhunter and the phrase "strongly recommended", OK, I understand the positioning now. I'll rephrase: rkhunter is included in all of the installation guides, and in the control panel Monitor/Logfiles section. So there is a link between ISPConfig and rkhunter that does not exist for other packages. This is an area that I have not found any information about, and ultimately I guess I'll need to get into the code. But, is rkhunter log viewing enabled by a plugin for the Monitor module? If someone installs a different rootkit detector or other security packages, what is the recommended method, if any, to get data from those packages into the Monitor module? Is a PR to the core required, essentially with a copy/edit of one of the other log parsers? As a developer interested in extensibility I'd like to deeply understand this area.

About rkhunter+Postfix - That's FASCINATING! I didn't think to check apt depends. Thank you very much for that approach to understanding some of this. And this explains some of my confusion. In my fresh Ubuntu 20.04 with all updates, postfix is the recommended default, and comparing your environment and mine, heirloom-mailx is not even recommended here, my system installed bsd-mailx.

Something else we learn here : If you install rkhunter there is a dependency for binutils. So if you have a script to install a server with rkhunter (I do) then your personal instructions don't need to include the apt-get install binutils later. Does ISPConfig actually use anything from binutils? I dunno, but it's in the installation guide. Now we know that at least rkhunter requires it, and auto-installs the dependency. It can't hurt to install binutils, but if it's not actually needed by ISPConfig then, like thousands of other packages, then maybe it can be removed from the instructions.

OK, @Taleman, this answers all of the questions. Postfix is not integrated with rkhunter so there is no configuration requirement. It simply needs a relay MTA, doesn't matter which. So my personal preference would be something lighter like esmtp or nullmailer.

To avoid the installation of Postfix, one could pre-install the mailx component and then "apt-get -y --no-install-recommends install rkhunter". I would just be concerned that would result in other missing recommendations that might result in a lack of expected features.

Yeah, each admin needs to decide for himself what needs to be done here. It's not the responsibility of the ISPConfig team/docs to explain every detail of system administration. But when the docs lead in a specific direction and the package links to specific software, then I think more attention is warranted. In this case, the existing docs tell people to install rkhunter but there is nothing about any of this other stuff about recommendations that affect what goes into an admin's system. In the Perfect doc it tells people to remove sendmail and install Postfix. Without this discussion that leaves gaps of information about what exactly ISPConfig needs to work. In the docs that I am writing there are links for more info, and that would include info like this and relevant links. As always, I'm happy to help with this but I need to understand exactly how this is intended to work.

I'm continuing to install/delete servers, compare with docs, and noting places where newer docs can be improved.
Thanks again for patience, information, links, suggestions, and the occasional RTFM where there is one.

$ rkhunter --version
Rootkit Hunter 1.4.6
$ apt depends rkhunter
rkhunter
|PreDepends: debconf (>= 0.5)
PreDepends: <debconf-2.0>
cdebconf
debconf
Depends: binutils
Depends: file
Depends: lsof
Depends: net-tools
Depends: ucf (>= 0.28)
Depends: <perl:any>
perl
|Recommends: bsd-mailx
|Recommends: mailutils
|Recommends: s-nail
Recommends: <mailx>
bsd-mailx
mailutils
|Recommends: <default-mta>
postfix
Recommends: <mail-transport-agent>
citadel-server
courier-mta
esmtp-run
exim4-daemon-light
lsb-invalid-mta
masqmail
msmtp-mta
nullmailer
opensmtpd
qmail-run
sendmail-bin
ssmtp
dma
exim4-daemon-heavy
postfix
Recommends: e2fsprogs
Recommends: iproute2
Recommends: unhide
Recommends: unhide.rb
|Recommends: wget
Recommends: curl
Suggests: liburi-perl
Suggests: libwww-perl
Suggests: powermgmt-base
$

 

After researching the topic, bsd-mailx, heirloom-mailx, nullmailer, postfix, s-nail, and these other related options, I've decided to go for defaults on all systems, and accept Postfix. It's not "that" heavy. It is useful. Configuration is painless. It seems like there is more information about it in these forums than any other MTA/MSA. I don't want to fight with a unique configuration. I'm not qualified. Time is limited. I trust the recommendations of the ISPConfig team (includes the top contributors here). I hope this decision process helps someone.