Date: Thu, 12 Apr 2012 03:49:32 +0200 From: Polytropon <freebsd@edvax.de> To: Ian Lord <lordi@msdi.ca> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Re: Sendmail recommended permissions for apache/php server Message-ID: <20120412034932.b6b7de0a.freebsd@edvax.de> In-Reply-To: <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local> References: <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote: > I then got a different error in /var/log/messages > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied > > I found very old threads saying to change the group of apache > to "smmsp" but I doubt it's a good idea. No, not "change to", but you can _add_ apache (or whatever is originating the error) to the smmsp group. Add it to "smmsp:*:25:" in /etc/group. See the error message above: "can not write to queue directory /var/spool/clientmqueue/" Check: % ls -ld /var/spool/clientmqueue drwxrwx--- 2 smmsp smmsp 512 Apr 12 03:12 /var/spool/clientmqueue/ ^^^ This directory can be read, written and entered/searched by _members_ of the smmsp group. Back to the error message: "(RunAsGid=0, required=25)" It is indicated that group #25 (smmsp) is the required GID, not 0. And: "Permission denied" which is the logical conclusion. Conclusion: You must make sure that whatever needs to access this directory is in the smmsp group (25). > Chmodding 777 the /var/spool/clientmqueue/ fixed the problem, > I can now send emails, but I wonder if this is the way to fix > the issue correctly. You souldn't need to do that. Now this directory can be modified by anyone, that's not good. > Is that the official fix or did I missed some configuration > somewhere ? Sending emails from php using mail or sendmail > should be something working out of the box I guess, I doubt > we're supposed to change permissions to make it work Correct. In regards of _security_, it's required to _allow_ the corresponding program / functionality / part of apache / mailer or whatever the access to the mail queue. This is something that is _not_ possible out of the box because there are many possi- bilities and security considerations. > Any help would be appreciated. Try to add apache (or whatever part of it, or PHP subsystem called by it that needs to access the mail queue) to the required group to give it the proper permission to do so. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120412034932.b6b7de0a.freebsd>