To be sure that a server stays safe in case when one site is compromised, I try to lock every single site in its own chroot jail. To make it a bit easier I use Jailkit.
Since you probably don’t want to set up sendmail for each chroot, you could use mini_sendmail. It will work as relay and will pass messages to actual sendmail.
The problem is that there is no way to specify a custom username or hostname and this could be quite important in some cases.
In order to solve this problem I did some quick and dirty modifications and here is the patch in case you need it:
--- Makefile +++ Makefile @@ -7,10 +7,10 @@ BINDIR = /usr/local/sbin MANDIR = /usr/local/man CC = gcc -CFLAGS = -O -#CFLAGS = -g -LDFLAGS = -s -static -#LDFLAGS = -g -static +#CFLAGS = -O +CFLAGS = -g +#LDFLAGS = -s -static +LDFLAGS = -g -static LDLIBS = $(SYSV_LIBS)CC := $(DIET) $(CC) --- mini_sendmail.c +++ mini_sendmail.c @@ -65,6 +65,8 @@ static char* argv0; static char* fake_from; static int parse_message, verbose; +static char* helo; +static char* user; #ifdef DO_MINUS_SP static char* server; static short port; @@ -80,7 +82,7 @@ static void usage( void ); static char* slurp_message( void ); #ifdef DO_RECEIVED -static char* make_received( char* from, char* username, char* hostname ); +static char* make_received( char* from, char* user, char* helo ); #endif /* DO_RECEIVED */ static void parse_for_recipients( char* message ); static void add_recipient( char* recipient, int len ); @@ -111,6 +113,7 @@ argv0 = argv[0]; fake_from = (char*) 0; parse_message = 0; + server = "localhost"; #ifdef DO_MINUS_SP server = "127.0.0.1"; port = SMTP_PORT; @@ -124,6 +127,10 @@ fake_from = &(argv[argn][2]); else if ( strcmp( argv[argn], "-t" ) == 0 ) parse_message = 1; + else if ( strncmp( argv[argn], "-h", 2 ) == 0 && argv[argn][2] != '\0' ) + helo = &(argv[argn][2]); + else if ( strncmp( argv[argn], "-u", 2 ) == 0 && argv[argn][2] != '\0' ) + user = &(argv[argn][2]); #ifdef DO_MINUS_SP else if ( strncmp( argv[argn], "-s", 2 ) == 0 && argv[argn][2] != '\0' ) server = &(argv[argn][2]); @@ -162,14 +169,22 @@ #endif /* DO_GETPWUID */ } + if ( user == (char*) 0 ){ + user=username; + } + if ( gethostname( hostname, sizeof(hostname) - 1 ) < 0 ) show_error( "gethostname" ); + if ( helo == (char*) 0 ){ + helo=username; + } + if ( fake_from == (char*) 0 ) - (void) snprintf( from, sizeof(from), "%s@%s", username, hostname ); + (void) snprintf( from, sizeof(from), "%s@%s", user, helo ); else if ( strchr( fake_from, '@' ) == (char*) 0 ) - (void) snprintf( from, sizeof(from), "%s@%s", fake_from, hostname ); + (void) snprintf( from, sizeof(from), "%s@%s", fake_from, helo ); else (void) snprintf( from, sizeof(from), "%s", fake_from ); @@ -181,7 +196,7 @@ message = slurp_message(); #ifdef DO_RECEIVED - received = make_received( from, username, hostname ); + received = make_received( from, user, helo ); #endif /* DO_RECEIVED */ (void) signal( SIGALRM, sigcatch ); @@ -209,7 +224,7 @@ exit( 1 ); } - (void) snprintf( buf, sizeof(buf), "HELO %s", hostname ); + (void) snprintf( buf, sizeof(buf), "HELO %s", helo ); send_command( buf ); status = read_response(); if ( status != 250 ) @@ -337,7 +352,7 @@#ifdef DO_RECEIVED static char* -make_received( char* from, char* username, char* hostname ) +make_received( char* from, char* user, char* helo ) { int received_size; char* received; @@ -349,8 +364,8 @@ tmP = localtime( &t ); (void) strftime( timestamp, sizeof(timestamp), "%a, %d %b %Y %T %Z", tmP ); received_size = - 500 + strlen( from ) + strlen( hostname ) * 2 + strlen( VERSION ) + - strlen( timestamp ) + strlen( username ); + 500 + strlen( from ) + strlen( helo ) * 2 + strlen( VERSION ) + + strlen( timestamp ) + strlen( user ); received = (char*) malloc( received_size ); if ( received == (char*) 0 ) { @@ -360,7 +375,7 @@ (void) snprintf( received, received_size, "Received: (from %s)\n\tby %s (%s);\n\t%s\n\t(sender %s@%s)\n", - from, hostname, VERSION, timestamp, username, hostname ); + from, helo, VERSION, timestamp, user, helo ); return received; } #endif /* DO_RECEIVED */
Save it as some.patch. Move it inside mini_sendmail source directory and run:
patch -p0 < some.patch make cp mini_sendmail /to/jail/usr/bin/sendmail
You can specify username with -u and hostname (and HELO message) with -h parameter.
If you are going to use it with PHP, change sendmail_path in php.ini to something like this:
sendmail_path = /usr/bin/sendmail -s127.0.0.1 -p5555 -unoreply -hexample.com [email protected] -t -i
This should make php connect to sendmail running on 127.0.0.1 port 5555 and send example.com as HELO and noreply as username.
Patch was made for version 1.3.6.
Leave a comment