php mail() function not working

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Oct 7 15:45:37 UTC 2003


On Tue, Oct 07, 2003 at 08:26:17AM -0400, Fraser Campbell wrote:
> On Monday 06 October 2003 19:31, Keith Mastin wrote:
> 
> > As it turned out, it had nothing to do with the code. Postfix-2.0.15
> > wasn't accepting mail from apache, failing with a permission error to
> > write to the postdrop directory. We mucked around with it for a while, and
> > finally came to the conclusion that the only way for this to work now is
> > to add the user apache to the postfix and postdrop groups. I'm still
> > unsure of all the security implications here, but I'm sure there will be
> > something.
> 
> There's no way that apache should be a member of the postdrop group.  The 
> implication is that apache can write directly to the maildrop directory.  A 
> malicious apache process (CGI or whatever) could dump bogus data into the 
> postdrop directory possibly screwing up legitimate email delivery, if it 
> isn't a shared server then the risk is pretty small.  Postfix tries to be 
> smart about security, using multiple processes for each step in delivery, one 
> process not trusting the other so I doubt that the security implications are 
> more serious than a DoS.
> 
> If you read the postfix anatomy documents 
> (http://www.postfix.org/receiving.html) you'll see that /usr/sbin/sendmail 
> invokes postdrop to deliver mail into the maildrop directory.  I suspect that 
> the permissions on your postdrop program are incorrect, they look like this 
> on Debian:
> 
> -r-xr-sr-x    1 root     postdrop     7564 Jul 28 18:58 /usr/sbin/postdrop

Well for exim all I have had to do ever is add: trusted-user: www-data
to the config, to allow apache to send mail pretending to be whatever
user it is sending mail from.  Similar to many mailing list managers
really.  It has no need to have access to anything other than running
mail or sendmail command, with enough trust to specify who the mail is
from.

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list