OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: PHP mail() w/ postfix problem in Fedora Core 3 FIXED

From: Leos Bitto (postfix-usersleos.cz)
Date: Tue Jan 11 2005 - 01:17:59 CST


Nathaniel Price wrote:
>
> Leos Bitto wrote:
>
>> Nathaniel Price wrote:
>>
>>> Nathaniel Price wrote:
>>>
>>>> I've been searching for the solution to this problem to no avail.
>>>>
>>>> I recently did a clean install of FC3 on a server that was running
>>>> RH8. There were a number of PHP scripts that I had configured to
>>>> send out email for notices or passwords or the like. However, now
>>>> that I've upgraded I can't send mail through the mail() command in PHP.
>>>>
>>>> My problem is exactly like what I found here, but unfortunately that
>>>> question was left unanswerd:
>>>> https://www.redhat.com/archives/fedora-list/2004-December/msg06708.html
>>>>
>>>> [snip]
>>>>
>>> I found out what the problem was on the fedora-users mailing list. It
>>> turns out that it was a 'problem' with Fedora Core 3. By default it
>>> uses SELinux to secure the httpd binary against executing other stuff
>>> it's not supposed to, including the postfix sendmail-compatible
>>> interface. FC's documentation on SELinux can be found here:
>>>
>>> http://fedora.redhat.com/docs/selinux-apache-fc3/
>>>
>>> Thanks for your help and suggestions on this admittedly non-obvious
>>> problem.
>>>
>>> Nathaniel
>>>
>>
>> Hello Nathaniel,
>>
>> the problem with mail() not working in PHP on Fedora Core 3 (with
>> SELinux enabled) is well known. I have solved it by replacing calls to
>> mail() with calls to a PEAR module which later connects to
>> 127.0.0.1:25 via SMTP. Check http://www.php.net/mail - there is a
>> comment from 24-Jan-2004 01:16, which was the salvage for me.
>>
>> What was your solution? Have you disabled SELinux? Have you
>> reconfigured SELinux to allow executing your MTA? Or are you using
>> SMTP instead (like I do)?
>
> Currently, I just disabled SELinux on HTTPd. I may figure out how to
> reconfigure SELinux to allow it to work while it's enabled, but I'd
> rather see it working /now/ at the moment. The docs I pointed to (I
> believe) have enough information to do that sort of configuration,
> though. Disabling SELinux on httpd is fairly simple; just run
> system-config-securitylevel from an X session, and from the SELinux tab,
> check the box next to "Disable SELinux protection for httpd daemon".
> There's probably a way to do it manually as well, but I just did the
> simplest thing that would work for me at the moment.

I know about this simple solution, but I definitelly do not want to do
it. SELinux is a very powerful security feature, and I do not want to
ditch it just because of one PHP function. I definitelly prefer security
here. Replacing mail() in all PHP scripts was some additional work for
me, but I beleive that it does pay off.

> I was hesitant to go in and replace calls to mail() with something else
> (like the PEAR module you mentioned) on everything since I use a number
> of third-party web applications, and I'd rather not have to muck around
> in their code.

Luckily all my third-party web applications were prepared to use the
direct SMTP connection instead of simply calling mail().

> Anyway, hope that helps... I'm currently unsubscribed from the mailing
> list (too high volume and I don't really have any knowledge to offer as
> a relative newbie), but feel free to pass this along if you'd like.
>
> Nathaniel

OK, I am sending cc: to the list. Thank you for all the information.

Leos