From owner-freebsd-questions@FreeBSD.ORG Thu Apr 12 07:17:37 2012 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 463F6106566B for ; Thu, 12 Apr 2012 07:17:37 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id C1A018FC15 for ; Thu, 12 Apr 2012 07:17:36 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q3C7HXDl046463 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 12 Apr 2012 08:17:33 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.1 smtp.infracaninophile.co.uk q3C7HXDl046463 Authentication-Results: smtp.infracaninophile.co.uk/q3C7HXDl046463; dkim=none (no signature); dkim-adsp=none Message-ID: <4F86818D.8000402@FreeBSD.org> Date: Thu, 12 Apr 2012 08:17:33 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-questions@FreeBSD.org References: <20120412034932.b6b7de0a.freebsd@edvax.de> In-Reply-To: <20120412034932.b6b7de0a.freebsd@edvax.de> X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF7FC9B72ED933C8B91998EDA" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: Subject: Re: Sendmail recommended permissions for apache/php server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 07:17:37 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF7FC9B72ED933C8B91998EDA Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/04/2012 02:49, Polytropon wrote: > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote: >> > I then got a different error in /var/log/messages >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not w= rite to queue directory /var/spool/clientmqueue/ (RunAsGid=3D0, required=3D= 25): Permission denied >> > I found very old threads saying to change the group of apache >> > to "smmsp" but I doubt it's a good idea. > No, not "change to", but you can _add_ apache (or whatever is > originating the error) to the smmsp group. Add it to "smmsp:*:25:" > in /etc/group. You should not be changing the ownership and permissions on any of the directories used by sendmail(8), or the group membership of any of the groups used by sendmail. Not even if you think you know what you are doing. This is extremely security sensitive, and getting it wrong means at minimum unprivileged users can forge e-mails untraceably[*]. There is no reason for apache to have any sort of write permissions to /var/spool/clientmqueue -- that should only be accessible to sendmail, and sendmail is the only program that should ever use it. To the OP -- can you execute sendmail outside PHP? If you can use mail(1) to send a test e-mail, then sendmail should be fine. Note: test this as an unprivileged user. What are the permissions on /usr/libexec/sendmail/sendmail ? They should look like this: % ls -la /usr/libexec/sendmail/sendmail -r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 /usr/libexec/sendmail/sendmail If that all checks out, then the problem is with PHP rather than your sendmail installation. There are several different ways PHP might be programmed to send e-mail; perhaps you could describe how your particular application tries to do it? Cheers, Matthew [*] So what? you might think. Until you get an e-mail request from your boss to provide sensitive information to some contractor you don't really know. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigF7FC9B72ED933C8B91998EDA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+GgY0ACgkQ8Mjk52CukIyl/gCfdqlXlOaKQAVT0JpMj0vuf8zo IF0AnjfvZuWkMBIwoe7Uq5xgE7Bm1dOf =4UKG -----END PGP SIGNATURE----- --------------enigF7FC9B72ED933C8B91998EDA--