Sendmail recommended permissions for apache/php server
Matthew Seaman
matthew at FreeBSD.org
Thu Apr 12 07:17:37 UTC 2012
On 12/04/2012 02:49, Polytropon wrote:
> On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
>> > I then got a different error in /var/log/messages
>> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied
>> > I found very old threads saying to change the group of apache
>> > to "smmsp" but I doubt it's a good idea.
> No, not "change to", but you can _add_ apache (or whatever is
> originating the error) to the smmsp group. Add it to "smmsp:*:25:"
> in /etc/group.
You should not be changing the ownership and permissions on any of the
directories used by sendmail(8), or the group membership of any of the
groups used by sendmail. Not even if you think you know what you are
doing. This is extremely security sensitive, and getting it wrong means
at minimum unprivileged users can forge e-mails untraceably[*].
There is no reason for apache to have any sort of write permissions to
/var/spool/clientmqueue -- that should only be accessible to sendmail,
and sendmail is the only program that should ever use it.
To the OP -- can you execute sendmail outside PHP? If you can use
mail(1) to send a test e-mail, then sendmail should be fine. Note: test
this as an unprivileged user.
What are the permissions on /usr/libexec/sendmail/sendmail ? They should
look like this:
% ls -la /usr/libexec/sendmail/sendmail
-r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38
/usr/libexec/sendmail/sendmail
If that all checks out, then the problem is with PHP rather than your
sendmail installation. There are several different ways PHP might be
programmed to send e-mail; perhaps you could describe how your
particular application tries to do it?
Cheers,
Matthew
[*] So what? you might think. Until you get an e-mail request from your
boss to provide sensitive information to some contractor you don't
really know.
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120412/5976b573/signature.pgp
More information about the freebsd-questions
mailing list