Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2012 08:17:33 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: Sendmail recommended permissions for apache/php server
Message-ID:  <4F86818D.8000402@FreeBSD.org>
In-Reply-To: <20120412034932.b6b7de0a.freebsd@edvax.de>
References:  <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local> <20120412034932.b6b7de0a.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF7FC9B72ED933C8B91998EDA
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 12/04/2012 02:49, Polytropon wrote:
> On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
>> > I then got a different error in /var/log/messages
>> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not w=
rite to queue directory /var/spool/clientmqueue/ (RunAsGid=3D0, required=3D=
25): Permission denied

>> > I found very old threads saying to change the group of apache
>> > to "smmsp" but I doubt it's a good idea.

> No, not "change to", but you can _add_ apache (or whatever is
> originating the error) to the smmsp group. Add it to "smmsp:*:25:"
> in /etc/group.

You should not be changing the ownership and permissions on any of the
directories used by sendmail(8), or the group membership of any of the
groups used by sendmail.  Not even if you think you know what you are
doing.  This is extremely security sensitive, and getting it wrong means
at minimum unprivileged users can forge e-mails untraceably[*].

There is no reason for apache to have any sort of write permissions to
/var/spool/clientmqueue -- that should only be accessible to sendmail,
and sendmail is the only program that should ever use it.

To the OP -- can you execute sendmail outside PHP?  If you can use
mail(1) to send a test e-mail, then sendmail should be fine.  Note: test
this as an unprivileged user.

What are the permissions on /usr/libexec/sendmail/sendmail ? They should
look like this:

% ls -la /usr/libexec/sendmail/sendmail
-r-xr-sr-x  1 root  smmsp  662136 Apr  1 08:38
/usr/libexec/sendmail/sendmail

If that all checks out, then the problem is with PHP rather than your
sendmail installation.  There are several different ways PHP might be
programmed to send e-mail; perhaps you could describe how your
particular application tries to do it?

	Cheers,

	Matthew

[*] So what? you might think.  Until you get an e-mail request from your
boss to provide sensitive information to some contractor you don't
really know.

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--------------enigF7FC9B72ED933C8B91998EDA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+GgY0ACgkQ8Mjk52CukIyl/gCfdqlXlOaKQAVT0JpMj0vuf8zo
IF0AnjfvZuWkMBIwoe7Uq5xgE7Bm1dOf
=4UKG
-----END PGP SIGNATURE-----

--------------enigF7FC9B72ED933C8B91998EDA--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F86818D.8000402>