OpenBSD Journal

Apache chroot and mail

Contributed by jose on from the secure-web-transactions dept.

Brian Camp has posted notes on getting a functional mini_sendmail and PHP system working with Apache's chroot default in OpenBSD. According to other people in the thread, a more secure solution is to have the Apache webmail system send all mail via a connection back to itself on loopback to port 25, which keeps the chroot security as enhanced as possible. This doesn't require any fork() and exec() of the sendmail process during PHP's mail() function. Anyone have any other notes they can share on this subject? Secure webmail sounds like a useful recipe to have.

(Comments are closed)


Comments
  1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

    I've recetly tryied using mini_sendmail but got lots of problems:

    1-> mini_sendmail doesn't compiles well, I had to pull some patches from NetBSD (anyone interested in my personal OpenBSD port?)
    2-> mini_sendmail only accepts mail from stdin, making some webmail systems (like PHP-Nuke's) unusable since the message is written according to the mail() function syntax.
    3-> mini_sendmail is not so user friendly. Sometimes it gives me strange and nonsense error messages, but on the next try it works wonderfully....

    I've managed this problem by installing mini-qmail on the /var/www chroot, using my main qmail server as the relay host via QMQP.

    It's now working wonderfully, and after all, the mail headers are now correctlly written comparing to mini-sendmail generated ones.

  2. By Wouter () on

    I don't use mini_sendmail, because you have to copy /bin/sh into the chroot.

    Is it possible to use this mini_qmail for postfix (assuming it doesn't need any libs)? :)

    Comments
    1. By Anonymous Coward () on

      mini_sendmail doesnt need /bin/sh, php's mail function uses system() which requires /bin/sh.

      I'm suprised that no one has complained about the writable /tmp required by php. Seems to me that it would have a greater impact on security than a jailed sh binary.

      Comments
      1. By Anonymous Coward () on

        I don't really see the problem with that, as long as you set your fstab right :)

        (nostab, nodev etc)

  3. By dlg () dlg+obsdj@dorkzilla.org on http://www.dorkzilla.org/~dlg

    squirrelmail 1.4.0 works just fine from chroot if you tell it to use SMTP server 127.0.0.1:25 to send mail.

    Comments
    1. By Anonymous Coward () on

      this comment changed my life...

      Comments
      1. By dlg () dlg+deadly@dorkzilla.org on http://www.dorkzilla.org/~dlg

        the point, my dear troll, is that the original post says "Secure webmail sounds like a useful recipe to have." which seems to me that the poster believes this is difficult, or not possible without breaking chroot. therefore, my comment: it's trivial.

        carry on.

  4. By Dave Steinberg () rt@redterror.net on http://www.redterror.net

    I've also made mention of mini-qmail in the apache chroot on the lists. For those curious, I have some info here along with a port of mini-qmail and a bunch of other crap. Comments/Questions welcome. Note: requires a full-qmail installation living somewhere else.

    Comments
    1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

      I've managed my mini-qmail installation according to your instructions (+ some make-mini-qmail-chroot.sh fixes). The installation is trivial, the users are created, the jail is created on /var/www, the tests are made. Ok, no problem at all...

      After I was convinced It was working perfectlly I've removed the /var/qmail directory, the qmail*/alias users and mini-qmail (pkg_delete mini-qmail) and mini-qmail worked like a charm ;-) ON the chroot.

      Nice job!

    2. By HillG () on

      I'm not able to make it work.
      now following command works fine.

      echo "xxxx@xxx.xxx" | /var/www/bin/qmail-inject

      but when it comes to executing using php's mail() function ,it does not work.

      should I change the sendmail_path in php.ini ?
      or anything should I check ?

      Comments
      1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

        You should have /bin/sh in /var/www/bin (simply copy it) and change the sendmail_path variable to "/var/qmail/bin/qmail-inject" in your php.ini file.

        Comments
        1. By HillG () on

          Thanks!!
          but I could not work it out.
          maybe something was wrong in installing qmail process.
          I'll try reinstall in clean environment when I need it.
          (althogh I feel that mini-qmail is a good solution for sending mail in chrooted Apache with php. but installing shell is a bit disappointing.
          My first purpose was to install XOOPS(ver.1.3.10) and make it work but now I could successfully customize it with the help of phpmailer.and now it works great on chrooted Apache.
          after all,Thak you for providing a valuable information!


  5. By Bryan () anonymous@coward.net on mailto:anonymous@coward.net

    PHP can loopback to localhost on port 25.

    like this:
    #set the variable on the fly in your script
    ini_set("SMTP", "localhost");

    #email like this
    #taken from mail() doc's
    mail("rasmus@lerdorf.on.ca", "My Subject", "Line 1nLine 2nLine 3");

    Comments
    1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

      Taken from mail() reference manual:

      --
      SMTP string

      Used under Windows only: DNS name or IP address of the SMTP server PHP should use for mail sent with the mail() function.
      --

  6. By Todd T. Fries () todd@fries.net on http://FreeDaemonConsulting.com

    Has anyone configured horde/imp to use the php
    mail() function?

    I know it shouldn't be difficult, but here's to
    not re-inventing the wheel! (and perhaps a
    submission to ports/mail/imp...)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]