OpenBSD Journal

Sendmail inside Jailed Apache/PHP Environment

Contributed by jose on from the inerior-design dept.

anonymous writes:
"Hi, I am setting up a website that is using PHP. The web site trys to send out e-mails by using the following PHP command:
$cmd = "/bin/echo "" . $msg . "" | /usr/sbin/sendmail -t -i";
This works if I ensure Apache is not running in the default jailed environment. I would like to have some mechanism for sending an email message from the jailed environment.

Has any one else done this? Any suggestions would be greatly appreciated."

While this isn't a very secure way at all to handle email submissions from HTTP POST operations, it does raise the question of what methods people have found to run PHP system with the chrooted Apache in 3.3. Anyone care to share their setup scripts and methods?

(Comments are closed)

  1. By Anonymous Coward () on

    Uh, why not just copy echo and sendmail into the jail?

    Thats a really really horrible way of doing it in the first place.

  2. By paulc () on

    Assuming you have a local SMTP server you can try mini_sendmail from - you need to set the PHP sendmail path in php.ini.

    Here is the description from the site:

    "mini_sendmail reads its standard input up to an end-of-file and sends a copy of the message found there to all of the addresses listed. The message is sent by connecting to a local SMTP server. This means mini_sendmail can be used to send email from inside a chroot(2) area"

  3. By Anonymous Coward () on


    1. By Anonymous Coward () on

      Ah, the concise elegance of cut and paste.

    2. By AC () on

      Thanks to your humorous comment, this page is totally screwed. What about limiting the number of characters in one line?

  4. By Peter Hessler () on

    Why don't you just send the message to That will allow you to *not* use sendmail in your jailed envrionment. I'm sure there are programs that are sendmail syntax compatable that are designed for this purpose.

  5. By knomevol () on

    why are you creating the building that exec command when you could use the mail function ?

    1. By Benny Siegert () on

      Because that function just calls /sbin/sendmail? :)

  6. By Clint () on

    Or just write your own php function like this.....

    function send_email($to, $sender_email, $subject, $mailheaders, $msg)
    $connection = fsockopen ("$MX_host", 25, &$errno, &$errstr, 1);
    fputs($connection, "HELO domain.comn");
    fputs($connection, "MAIL FROM: $sender_emailn");
    fputs($connection, "RCPT TO: emailaddress@domain.comn");
    fputs($connection, "DATAn");
    fputs($connection, "Subject: $subjectn$mailheadersn$msgn.n");
    fclose ($connection);

    send_email($to, $sender_email, $subject, $mailheaders, $msg);

    1. By Anonymous Coward () on

      Unfortunately, that won't check for errors, and it won't handle single lines that contain only a dot--a malicious user would be able to use that script to send anonymous emails anywhere.

      1. By clint () on

        Thats just an example. You can easily put in fgets() to provide error checking, have it log this email to a file, and do all sorts of input verification.

        In my forms for example, all the $var's are checked and "cleaned' before that function is called. It would take all but 20 minutes of coding to expand this example to something usable, which is still a lot quicker than trying to chroot sendmail, or get php's mail() to work.

  7. By Josh () selerius at codefusion dot org on codefusion dot org

    there is a php mail class available that seems to work fairly well. I have used it on several occasions, and plan on using it in the future.

  8. By grange () on

    Pretty security bug in such usage of exec().

  9. By drama () on

    Maybe check out the PHP documentation for Mail() syntax as well as other user examples.

    Im not trying to say rtfm, but the php documentation is really helpful for the most part.

    * * * * *

  10. By Anonymous Coward () on

    Isn't this a lot worse than "not very secure"..?

    If a person were able to get their own chosen text into $msg (perhaps by making it part of their name, or email address), aren't you letting them write their own shell command to be executed inside your chroot? Granted, maybe that limits the damage they can do, but it'd still suck if they got away with "cd /; rm -rf *"

  11. By Raymond Morsman () on


    a friend of mine played with the sendmail config until he make work.

    The result can be found at:

    Works perfectly, I used to run a script of my own for the last years, but this one is easier.


    1. By Bard ( on

      > Hi,
      > a friend of mine played with the sendmail config until he make work.
      > The result can be found at:
      > Works perfectly, I used to run a script of my own for the last years, but this one is easier.

      Too bad his site is down

  12. By bolke () on

    Do not use the internal mail() function of PHP. It does not work with SMTP on BSD/*nix machines as strangely enough.

    Grab something as SMTP class (see freshmeat) and use that. No need for copying etc, a lot nicer too.

    1. By drama () dr4ma-at-slakin-d0t-net on

      Really? That is odd, I have mail() working on OpenBSD 3.2, FreeBSD 4.4, 4.6, 4.7 and linux.
      Not to flame you, but don't post something if you don't know your facts.


      1. By bolke () on

        I actually tested it, and it was confirmed when searching for it on the Net.

        But I would really like to be convinced otherwise.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]