Once chroot() call is applied to chrooted lighttpd or apache web server, you lost the connection with real /usr/sbin/sendmail program.
The php mail() function allows you to send mail. For the Mail functions to be available, PHP must have access to the sendmail binary on your system during compile time. If you use another mail program, such as qmail or postfix, be sure to use the appropriate sendmail wrappers that come with them. PHP will first look for sendmail in your PATH, and then in the following: /usr/bin:/usr/sbin:/usr/etc:/etc:/usr/ucblib:/usr/lib. It’s highly recommended to have sendmail available from your PATH. Also, the user that compiled PHP must have permission to access the sendmail binary. Because of chroot you cannot access anything outside jail.
Even if you copy /usr/sbin/sendmail it will not work because it needs all other directories in /var and sendmail config file in /etc/mail directory.
So how do I configure php mail() support in chrooted jail webserver?
- Don’t use php mail() use php SMTP class to send email (recommended method #1)
- Install complete sendmail in chrooted jail (this is too much work)
- Install statically linked mini_sendmail and /bin/sh in chrooted jail. (recommended method #2)
Task: Setting up static mini_sendmail for chrooted apache or lighttpd web server
mini_sendmail reads its standard input up to an end-of-file and sends a copy of the message found there to all of the addresses listed. The message is sent by connecting to a local SMTP server. This means mini_sendmail can be used to send email from inside a chroot(2) area. However, it needs to create a pipe so you need to copy shell to chroot as well.
Type the following commands:
# cd /opt
# wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
# tar -zxvf mini_sendmail-1.3.6.tar.gz
# cd mini_sendmail-1.3.6
Copy mini_sendmail to chrooted directory
Assuming that your chrooted directory is /webroot
# mkdir -p /webroot/usr/sbin
# cp mini_sendmail /webroot/usr/sbin/sendmail
Configure php for mini_sendmail (sendmail)
Goto /webroot directory
# vi etc/php.ini
# vi /webroot/etc/php.ini
Setup sendmail path
sendmail_path = /usr/sbin/sendmail -t -i
Restart Apache webserver
# /etc/init.d/httpd restart
# apachectl restart
Or Restart lighttpd web server
# /etc/init.d/lighttpd restart
Copy /bin/sh or /bin/bash
# cp /bin/sh /webroot/bin
# l2chroot /bin/sh
Test your setup
Create php script – mailtest.php as follows:
mail("firstname.lastname@example.org", "PHP Test mail", "Hope this works! ");
Point browser to http://yourcrop.com/mailtest.php
More troubleshooting tips
(a) Make sure you have /etc/resolv.conf and /etc/hosts files available in chrooted jail at /webroot/etc directory.
(b) Make sure your mail server accept connection from localhost (default)
(c) Consult /var/log/maillog (or your MTA log file) outside jail for more information
# tail -f /var/logm/maillog
Continue reading the rest of Lighttpd security series articles