Date: Thu, 12 Apr 2012 08:17:33 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@FreeBSD.org Subject: Re: Sendmail recommended permissions for apache/php server Message-ID: <4F86818D.8000402@FreeBSD.org> In-Reply-To: <20120412034932.b6b7de0a.freebsd@edvax.de> References: <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local> <20120412034932.b6b7de0a.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF7FC9B72ED933C8B91998EDA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/04/2012 02:49, Polytropon wrote: > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote: >> > I then got a different error in /var/log/messages >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not w= rite to queue directory /var/spool/clientmqueue/ (RunAsGid=3D0, required=3D= 25): Permission denied >> > I found very old threads saying to change the group of apache >> > to "smmsp" but I doubt it's a good idea. > No, not "change to", but you can _add_ apache (or whatever is > originating the error) to the smmsp group. Add it to "smmsp:*:25:" > in /etc/group. You should not be changing the ownership and permissions on any of the directories used by sendmail(8), or the group membership of any of the groups used by sendmail. Not even if you think you know what you are doing. This is extremely security sensitive, and getting it wrong means at minimum unprivileged users can forge e-mails untraceably[*]. There is no reason for apache to have any sort of write permissions to /var/spool/clientmqueue -- that should only be accessible to sendmail, and sendmail is the only program that should ever use it. To the OP -- can you execute sendmail outside PHP? If you can use mail(1) to send a test e-mail, then sendmail should be fine. Note: test this as an unprivileged user. What are the permissions on /usr/libexec/sendmail/sendmail ? They should look like this: % ls -la /usr/libexec/sendmail/sendmail -r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 /usr/libexec/sendmail/sendmail If that all checks out, then the problem is with PHP rather than your sendmail installation. There are several different ways PHP might be programmed to send e-mail; perhaps you could describe how your particular application tries to do it? Cheers, Matthew [*] So what? you might think. Until you get an e-mail request from your boss to provide sensitive information to some contractor you don't really know. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigF7FC9B72ED933C8B91998EDA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+GgY0ACgkQ8Mjk52CukIyl/gCfdqlXlOaKQAVT0JpMj0vuf8zo IF0AnjfvZuWkMBIwoe7Uq5xgE7Bm1dOf =4UKG -----END PGP SIGNATURE----- --------------enigF7FC9B72ED933C8B91998EDA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F86818D.8000402>