How can apache be allowed to send email?

K

5

10

I have a CentOS 6.2 virtual machine running Apache 2.2 and PHP 5.3 that I'm trying to send email from via PHP's mail() function. I can send email from the CLI without problems but when PHP tries it fails. In the sendmail log is the following:

Oct  9 11:42:03 localhost sendmail[3080]: NOQUEUE: SYSERR(apache): can not chdir(/var/spool/clientmqueue/): Permission denied

It seems like Apache doesn't have permission to do this but I'm not sure how to fix it. I've found a lot discussion about this but nothing specific enough to what I'm doing that I could use. Any help would be appreciated. Thanks!

Kenzi answered 9/10, 2012 at 16:58 Comment(2)

How are you trying to send this email? Apache should never need to chdir into the mail spool directories - it should just speak to the local mail MTA. – Hornstone 9/10, 2012 at 16:59

Check out this solution: forums.freebsd.org/showthread.php?t=32273 – Signatory 9/10, 2012 at 17:34

F

4

First you have to check if permission are correct. Here is the permission below in my system

# ls -l /usr/sbin/sendmail.sendmail -r-xr-sr-x root smmsp /usr/sbin/sendmail.sendmail

# ls -l /var/spool/clientmqueue drwxrwx--- smmsp smmsp /var/spool/clientmqueue

If your permissions or ownership is wrong then change it using chown and chmod.

If the above is right then disable selinux or if you want selinux enabled use chcon to set the correct selinux context.

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html

For disabling selinux temporarily use #setenforce 0

Frissell answered 9/10, 2012 at 17:49 Comment(1)

Don't disable SELinux :( There's a boolean httpd_can_sendmail to allow the web-server to send mail which should work in this case. Set this with setsebool -P httpd_can_sendmail 1, and include the -P option to make it persistent across reboots. – Eliza 27/9, 2016 at 9:25

N

31

Selinux may cause the issue, to verify run:

getsebool -a | grep mail

If it displays as bellow it is selinux:

allow_postfix_local_write_mail_spool --> off

You may disabled it, but if you want to keep it (and you should as it provides an extra layer of security) you should do something else:

setsebool -P httpd_can_sendmail on

This will allow the httpd to send emails, as when you use php mail().

Noranorah answered 20/11, 2012 at 10:54 Comment(2)

-P option make it permanent, so after reboot it will be on again :) – Laquitalar 4/8, 2013 at 12:59

i only used "setsebool -P httpd_can_sendmail on" and solved the problem. Thanks – Impotent 9/5, 2014 at 11:40

G

12

Hate to necro this, but none of the solutions here worked for me. I know very little about SELinux, but I ended up discovering the problem with this (on CentOS 6):

getsebool httpd_can_sendmail

Which told me it's disabled. Fixed with

setsebool httpd_can_sendmail 1

Grumble answered 25/11, 2013 at 17:28 Comment(1)

setsebool without -P will not survive a reboot. So -P should be used. – Jaundice 21/1, 2022 at 9:31

F

4

First you have to check if permission are correct. Here is the permission below in my system

# ls -l /usr/sbin/sendmail.sendmail -r-xr-sr-x root smmsp /usr/sbin/sendmail.sendmail

# ls -l /var/spool/clientmqueue drwxrwx--- smmsp smmsp /var/spool/clientmqueue

If your permissions or ownership is wrong then change it using chown and chmod.

If the above is right then disable selinux or if you want selinux enabled use chcon to set the correct selinux context.

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html

For disabling selinux temporarily use #setenforce 0

Frissell answered 9/10, 2012 at 17:49 Comment(1)

Don't disable SELinux :( There's a boolean httpd_can_sendmail to allow the web-server to send mail which should work in this case. Set this with setsebool -P httpd_can_sendmail 1, and include the -P option to make it persistent across reboots. – Eliza 27/9, 2016 at 9:25

E

1

You may have SELinux enabled.

http://selinuxproject.org/page/Main_Page

You can check SELinux status by doing:

sestatus

You should see something like:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

You can turn SELinux off temporarily via:

echo 0 >/selinux/enforce

and back on with

echo 1 >/selinux/enforce

If you do temp. turn it off, do not install RPMs or make changes. I find this can lead to problems with re-enabling it.

If you want to permanently disable SELinux, then try:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html

Eikon answered 9/10, 2012 at 17:26 Comment(0)

G

0

getsebool -a | grep mail
allow_postfix_local_write_mail_spool --> off
setsebool -P httpd_can_sendmail on

This command working for me.

Greig answered 15/3, 2018 at 13:28 Comment(0)

Recommended topics

Hot tags