Sendmail recommended permissions for apache/php server

[Ian Lord]

>You should not be changing the ownership and permissions on any of the
>directories used by sendmail(8), or the group membership of any of the
>groups used by sendmail.  Not even if you think you know what you are
>doing.  This is extremely security sensitive, and getting it wrong means
>at minimum unprivileged users can forge e-mails untraceably[*].

That's what I thought, I found it to work but preferred to ask on the list since it didn't make sense to me :)

>To the OP -- can you execute sendmail outside PHP?  If you can use
>mail(1) to send a test e-mail, then sendmail should be fine.  Note: test
>this as an unprivileged user.

No it doesn't work, just tried it:
%mail -s Hello lordi at msdi.ca
Hello !
.
EOT
%WARNING: RunAsUser for MSP ignored, check group ids (egid=0, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
Apr 12 08:47:08 dev sendmail[94980]: NOQUEUE: SYSERR(msdi): can not chdir(/var/spool/clientmqueue/): Permission denied

>What are the permissions on /usr/libexec/sendmail/sendmail ? They should
>look like this:
>% ls -la /usr/libexec/sendmail/sendmail
>-r-xr-sr-x  1 root  smmsp  662136 Apr  1 08:38
>/usr/libexec/sendmail/sendmail

# ls -al /usr/libexec/sendmail/sendmail
-r-xr-sr-x  1 root  wheel  707160 Jan  3 02:57 /usr/libexec/sendmail/sendmail

So the group is wrong... I changed it from wheel to smmsp and everything works fine now !

Thanks a lot for the fix, but this server is a clean install of 9.0-RELEASE that I installed about 2-3 months ago. I never changed the permission myself on that file so I guess there is something wrong that would need to be fixed (unless it's already fixed in newer versions).

Thanks again

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ian Lord
MSD Informatique
143 Rue des Fauvettes
St-Colomban (Québec) J5K 0E2
Tél: (514) 776-MSDI              -> (514) 776-6734
Sans Frais: 1(877) 776-MSDI -> 1(877) 776-6734
http://www.msdi.ca