Search code examples
ubuntu-12.04sendmail

What is the proper permission configuration of sendmail

This question comes from a problem much similar to this https://serverfault.com/questions/320607/ubuntu-jaunty-sendmail-php-mail-premission-errors

But those answers don't solve my problem

I have a php application which is using PHPMailer to send emails.

I installed sendmail on my ubuntu 12.04 LTS with

sudo apt-get install sendmail
sudo sendmailconfig

But the application failed to send any mail. In the mail.err it says:

Apr 14 00:31:42 AY sendmail[32241]: NOQUEUE: SYSERR(www-data): can not chdir(/var/spool/mqueue-client/): Permission denied

while www-data is the username of apache2.

Then I followed some guides from internet, add www-data to smmsp group:

sudo usermod -a -G smmsp www-data

Now when I 

groups www-data

I get

www-data : www-data smmsp

and the line in the /etc/group is:

smmsp:x:114:www-data

Also I made sure of access to /var/spool/mqueue-client/ is 770

/var/spool]$ ls -la
total 28
drwxr-xr-x  7 root   root  4096 Apr  2 00:21 .
drwxr-xr-x 11 root   root  4096 Apr 14 03:30 ..
drwxr-xr-x  5 root   root  4096 Aug  6  2012 cron
lrwxrwxrwx  1 root   root     7 Aug  6  2012 mail -> ../mail
drwxr-s---  2 smmta  smmsp 4096 Apr 14 06:25 mqueue
drwxrws---  2 smmsp  smmsp 4096 Apr 14 06:25 mqueue-client
drwxr-xr-x  2 root   root  4096 Apr 13  2012 plymouth
drwxr-xr-x  2 syslog adm   4096 Mar 31  2012 rsyslog

/]$ ls -ld /var/spool/mqueue-client/ /usr/sbin/sendmail
lrwxrwxrwx 1 root  root    26 Apr  2 00:21 /usr/sbin/sendmail -> /etc/alternatives/sendmail
drwxrws--- 2 smmsp smmsp 4096 Apr 14 06:25 /var/spool/mqueue-client/

But I still get error when I try to send mail

Apr 14 03:26:57 AY sendmail[6131]: NOQUEUE: SYSERR(www-data): can not write to queue directory /var/spool/mqueue-client/ (RunAsGid=33, required=114): Permission denied

while 33 is gid of www-data

www-data:x:33:

What should I do to get sendmail work but keep the security? Further, What is the proper permission configuration (user, group, and directories access etc) of sendmail in a production environment ?

Solution

  • Standard installation of sendmail-8.12+ requires to install sendmail binary as set group id.
    (/usr/sbin/sendmail -> ... -> /usr/lib/sm.bin/sendmail in you case)

    -rwxr-sr-x 1 root smmsp ...

    In case of your softlinks chain try: 

     chown root:smmsp /usr/lib/sm.bin/sendmail
 chmod 2555 /usr/lib/sm.bin/sendmail

    Recommended permissions are described in SECURITY file in sendmail distribution. On my debian the file is installed as /usr/share/doc/sendmail-doc/sendmail/SECURITY.gz by sendmail-doc package.