Site Navigation

Date:      Thu, 12 Apr 2012 03:49:32 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Ian Lord <lordi@msdi.ca>
Cc:        "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org>
Subject:   Re: Sendmail recommended permissions for apache/php server
Message-ID:  <20120412034932.b6b7de0a.freebsd@edvax.de>
In-Reply-To: <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local>
References:  <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
> I then got a different error in /var/log/messages
> Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied
> 
> I found very old threads saying to change the group of apache
> to "smmsp" but I doubt it's a good idea.

No, not "change to", but you can _add_ apache (or whatever is
originating the error) to the smmsp group. Add it to "smmsp:*:25:"
in /etc/group.

See the error message above:

"can not write to queue directory /var/spool/clientmqueue/"

Check:

% ls -ld /var/spool/clientmqueue
drwxrwx---  2 smmsp  smmsp  512 Apr 12 03:12 /var/spool/clientmqueue/
    ^^^
This directory can be read, written and entered/searched by
_members_ of the smmsp group.

Back to the error message:

"(RunAsGid=0, required=25)"

It is indicated that group #25 (smmsp) is the required GID, not 0.

And:

"Permission denied"

which is the logical conclusion.

Conclusion: You must make sure that whatever needs to access
this directory is in the smmsp group (25).



> Chmodding 777 the /var/spool/clientmqueue/ fixed the problem,
> I can now send emails, but I wonder if this is the way to fix
> the issue correctly.

You souldn't need to do that. Now this directory can be modified
by anyone, that's not good.



> Is that the official fix or did I missed some configuration
> somewhere ? Sending emails from php using mail or sendmail
> should be something working out of the box I guess, I doubt
> we're supposed to change permissions to make it work

Correct. In regards of _security_, it's required to _allow_ the
corresponding program / functionality / part of apache / mailer
or whatever the access to the mail queue. This is something that
is _not_ possible out of the box because there are many possi-
bilities and security considerations.



> Any help would be appreciated.

Try to add apache (or whatever part of it, or PHP subsystem called
by it that needs to access the mail queue) to the required group
to give it the proper permission to do so.



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120412034932.b6b7de0a.freebsd>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact