php mail() function not working

Keith Mastin kmastin-PzQIwG9Jn9VAFePFGvp55w at public.gmane.org
Tue Oct 7 18:31:37 UTC 2003 

<quote who="Fraser Campbell">
> There's no way that apache should be a member of the postdrop group.
> The  implication is that apache can write directly to the maildrop
> directory.  A  malicious apache process (CGI or whatever) could dump
> bogus data into the  postdrop directory possibly screwing up legitimate
> email delivery, if it  isn't a shared server then the risk is pretty
> small.  Postfix tries to be smart about security, using multiple
> processes for each step in delivery, one  process not trusting the other
> so I doubt that the security implications are more serious than a DoS.

We thought it through before leaving it in that state. The option was (fix
found on the internet) is to make postdrop 1777 rather than the 1730 it is
now. I didn't like that option at all.

The server handles quite a few domains, so keeping up with system security
is an issue. The machine is tight with a strong IDS, very little shell
access (myself basically) and is updated as soon as the advisories come
in.

I'm going to have to tighten up the security profile of php so that only
the sites that I personally can check the scripting on can run php
scripts. The syntax to check input is pretty straight forward. If there's
a way to not do this though, I'de be happy to hear about it, and so would
quite a few others who run into the same problem.

> If you read the postfix anatomy documents
> (http://www.postfix.org/receiving.html) you'll see that
> /usr/sbin/sendmail  invokes postdrop to deliver mail into the maildrop
> directory.  I suspect that  the permissions on your postdrop program are
> incorrect, they look like this  on Debian:
>
> -r-xr-sr-x    1 root     postdrop     7564 Jul 28 18:58
> /usr/sbin/postdrop

My perms are -rwxr-s-r-x root postdrop

I ran post install and permissions tools, had some errors that I asked
about on the postfix list. I guess one has to be a member of a certain
small subset to get an answer on that list for anything outside of simple
configuration or anti-spam hints. I install postfix from sources, had no
issues with the install process.

What is needed is permission for apache/php to be able to call sendmail or
postfix/postdrop without kicking because of permissions errors. Postfix
guys say it's an apache problem, apache/php guys say it's a postfix
problem, but at the end of the day it still doesn't work without making
some kind of permissions adjustment somewhere.



--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list