I installed Ubuntu 22.04, php 8.1.2, Apache 2.4.52 and postfix. When I run test.php in browser with the code
mail($to, $subject, $body)
I receive the email without X-PHP-Script header. I expect to see
X-PHP-Script: <server_name><php_self> for <remote-addr>
After I set
mail.add_x_header = On
the header X-PHP-Originating-Script was added to a mail, but not X-PHP-Script. If I am not wrong, PHP mail always added X-PHP-Script.
I can add it manually via additional_headers parameter of mail function, but how to make PHP mail add it? What adds X-PHP-Script on my shared server with cPanel?
X-PHP-Originating-Script is the header PHP adds (a commenter also mentioned that).
This does not mean X-PHP-Script does not exist. cPanel, for instance, uses it to identify messages sent by the nobody user. You may have seen the X-PHP-Script header, but it was not added by PHP itself.
cPanel itself adds this header internally. You may alter this behavior by using the Exim Configuration Manager Advanced Editor in cPanel. One such way is to use system-wide message filtering. However, cPanel's documentation does not recommend doing so. It may cause severe performance issues or cause email messaging to stop working entirely.
This particular header is used to identify messages being delivered to Exim within cPanel. It is one of the possible ways to identify the source of a message to cPanel's mail transfer agent for security purposes. It is unlikely that shared server hosts will allow you to modify configurations of this type in cPanel.
It is possible to make PHP's mail() add it by:
modifying the PHP source and compiling it
redefining the mail function using runkit7_function_redefine
wrapping mail() in another function and using your newly
constructed function
Modifying PHP's source and using runkit7_function_redefine are possible but not generally a feasible or appropriate way to change the behavior of PHP's mail(). They also require advanced knowledge and significant planning and effort.
Also, a mail transfer agent like Exim Internet Mailer can be configured to add or remove message headers outside of PHP, but this does not modify the behavior of mail() itself.
There is currently no simple way (as of 2023) to add X-PHP-Script automatically from within PHP, other than by doing it manually as you mentioned.
Related
I am maintaining an old PHP application and I would like to configure it to use Mandrill for outgoing email. Mandrill, of course, requires SMTP authentication. The application uses PHP's mail() function directly.
Is there any way I can configure sendmail (or an equivalent service) to send using SMTP authentication by default (with the credentials for Mandrill), without having to replace all the mail() calls throughout the application?
I saw some other answers about SMTP configuration in php.ini but that only works on Windows, so I believe the only PHP setting I could change that would potentially be useful is sendmail_path, which defaults to sendmail -t -i. I was thinking maybe I could point it to a shell script instead but I'm not sure how to go about that or whether it would work.
UPDATE
Thanks to #mti2935's answer, I was able to get this working. I had trouble getting sSMTP to work (got the error "send-mail: Cannot open smtp.mandrillapp.com:587" even though there was no firewall blocking it) so I followed the second link and set up MSMTP. I had to change the tls_trust_file setting to /etc/pki/tls/certs/ca-bundle.crt (note: I'm running CentOS 6). Also, the sendmail_path PHP setting recommended in the link didn't work for me; I had to change it to "/usr/bin/msmtp -C /etc/msmtp/myconfig -t" (and restart Apache since I changed this in php.ini rather than in an .htaccess file...note that the config file can be called whatever you want; choose your own name in place of "myconfig").
Also, when testing, be sure to specify a "From" address, otherwise some destinations including Gmail might reject the message.
There are a number of lightweight replacements for sendmail that can be used to relay outgoing messages through a remote SMTP relaying server, such as SSMTP, MSMTP, and Nullmailer. By replacing /usr/sbin/sendmail with one of these, you can relay outgoing mail sent from your PHP scripts through a remote SMTP server, without making any changes to your PHP scripts that use the PHP mail() function. These replacements simply handoff the message to the relaying server - the don't handle incoming mail, they don't manage a queue, etc.
See:
http://itekblog.com/ssmtp-a-gmail-sendmail-relay-replacement-for-linux/
http://www.emanueletessore.com/how-to-configure-msmtp-as-a-gmail-relay-on-ubuntu-server/
http://untroubled.org/nullmailer/
Another option may be to continue using sendmail, configured with a smarthost. See https://serverfault.com/questions/41448/fastest-way-to-allow-sendmail-relay-through-smarthost
Swiftmailer is a good option. You should also take a look at Zend2 Mail. I used this on a small project and it fit the bill nicely.
PHP Storm has a pretty cool search and replace function. If you just search for let's say "mail(" (without the quotes) you can manually go through the results and confirm before replacing them. Or you can do a replace but before it replaces each occurrence, you can confirm it.
I've been googling around for awhile now and have been unable to find any sort of solution or any information at all.
What I need to do is to configure postfix so that when one of our websites sends mail using PHP (via a contact us form or w/e) the mail log will show what the sending website was. This way we can identify a compromised website/form, etc in case one of our IP addresses should get blacklisted. We run virtual hosts so each server could have dozens to hundreds of websites on them. For us to otherwise track them down manually could take forever.
Is this even possible? Perhaps its not if I couldn't find anything on google :(
Consider using PHP 5.3's new mail.log configuration directive. It will allow you to define a log file where all calls to the mail() function are recorded, including the To address, the headers, and the full path to the script that made the call.
If you aren't running 5.3, consider upgrading to it, or to 5.4 once it's out in a few weeks.
Unfortunately this is only half of a solution. There are numerous PHP mail libraries that speak SMTP. If you permit local SMTP connections (as most good web hosting providers should), then users would have a way to bypass that log.
I have a VPS server at UltimateHosting.com and requires that I use "Smart Relay". I cant seem to wrap my head around how I setup php to be able to use mail relay.
Here is an article they have on Smart Relay:
http://support.ultrahosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=142
The server is using cpanel and exim
I sent the following support ticket:
How do I configure the server to send
mail using php. I am writting a script
that will send the users passwsord
usigng PHPs mail function. However the
emails sent are never delivered. Does
this have to do with "smart relay"?
Any guide on how to configure this?
Response was:
While we do not provide scripting
support of any kind, if you simply
ensure the smart host is hard coded in
your script (no authentication is
necessary) the email should be
forwarded accordingly.
If your script uses the server's SMTP
server to send out email, you'll have
to ensure the MTA is configured to use
the smart host
.
Could anyone please clarify what I need to do in order to fix this?
I got the answer on ServerFault see https://serverfault.com/questions/188840/configrue-exim-sendmail-for-relay for details.
In short, I needed to change the default generic hostname and apply the route relay
I have some problems with the email system for CodeIgniter:
First, the emails I send out (registration, confirmations) are getting caught in standard spam filters in gmail and other mail clients. How do I get around this? How do companies like Facebook get their emails through consistently?
Second, the mailer is working locally but once we deploy it it no longer runs (doesn't send emails) but all the other forms run just fine. Anyone ever run into a problem like this?
Thanks for all the help!
I can't really answer your first question - it's not specific to CodeIgniter. You just need to make sure your email doesn't look like spam. In short - there's no way of guaranteeing your e-mail will not end up in a spam filter.
As for the second question, I expect your production server needs to be configured properly for email. You probably need to configure CodeIgniter to send email properly. I would suggest setting up an SMTP server (or using an existing one) rather than using the standard PHP mail which I think CodeIgniter uses by default.
Regarding spam, most organisations are very secretive about how they prevent spam (not wanting to publish information which helps the spammers) and in some cases they don't actually know - an obvious examlpe of this is bayesian filtering - but, for example, hotmail use a completely unaccountable army of volunteers to manually classify emails.
Do and get a copy of spamassassin and try to reverse engineer how the standard rules work. Obvious things to check are:
1) AVOIDING LOTS OF CAPITALS
2) don't mention the 'V' word
3) make sure you've got a current and restrictive SPF 1.0 policy published
4) make sure your sending from an address which has A and PTR DNS records
5) Do provide a reply-to and from email address which use your domain in the address
the mailer is working locally but once we deploy it it no longer runs
doesn't send emails
Which? These are 2 totally seperate things. If the code is falling over (if so why have you not provided the error details) then its likely a PHP version issue or a problem with the connection to the MTA (or the PHP mail config).
The latter is a problem with the MTA itself.
99.9% of problems reported as PHP mail failures have nothing to do with PHP and are problems with the MTA.
Enabled detailled error reporting for your MTA and see where it is failing.
C.
You may have to configure the email on your server differently than your local development environment. I've had to in the past.
There are two basic ways that PHP can send mail:
Via a UNIX program called "sendmail" (only on non-Windows servers and only if it is installed - check with your hosting provider)
Via a SMTP server.
If you've configured CodeIgniter to use SENDMAIL, check to ensure that the Sendmail path is correct. Your hosting provider usually provides this somewhere in their online documentation.
If you're using SMTP, you need to make sure that your server can contact the SMTP server. You can do this by logging into the server via SSH and typing "telnet your.smtpserver.com 25". If you get an error message about not being able to connect, you know you have a problem with your hosting provider connecting to your mail server.
I've been able to diagnose this problem by enabling logging on my production server (http://bit.ly/4pprd6) and adding log_message('error', $this->email->print_debugger()) right after I attempt to send a message.
i tried googling but sadly i get only documentations (or am i using bad keywords)
anyway
i can see that alot of programmers (even those im working with right now) does not seem to approve to using the php native mail function and resorts to using some other framework like sendmail? swift mailer etc...
i'd like to know why? are there really disadvantages to using the native mail function?
if so how does the mailing frameworkds solve that or how are they better??
There's nothing wrong with it for sending simple plain text emails.
However, once you get into multipart mime emails (say, you want an HTML version or to add an attachment) then you have to build the email yourself, and it can be quite tricky to get all the headers and encoding correct. In this case you're better off using a library.
The PHP manual for function mail mentions that there are some restrictions with the mail function and one of these are that the function opens and closes an SMTP socket for each email. The mail function works good when you just want to send a mail or two.
As far as I'm concerned, all of these problems pale in comparison to the major security problem:
Mail header injection: ( http://en.wikipedia.org/wiki/E-mail_injection , and php specific info: http://www.damonkohler.com/2008/12/email-injection.html )
Whereby a spammer bot spiders your site and, finding a vulnerability in your script that is easy to still have when using the very insecure mail() function, IS ABLE TO SEND EMAIL FROM YOUR SERVER TO AN ARBITRARY LIST OF CONTACTS, essentially turning your script & server into a cog in their spam email machine.
I recommend never using mail() with user input, and in general, just making use of PEAR::mail instead. http://pear.php.net/package/Mail/
Using PHP's mail() function requires a properly configured sendmail or equivalent on the host the program is running. However, the Windows implementation is a bit different. If you don't have your MTA configured properly, you won't be able to successfully send emails from your PHP scripts. Like another commenter said on this thread, PHP manual explicitly states that each call to the mail() function opens and closes a socket. This can cause unnecessary delay in script execution.
Additionally, your development and testing environment may not have a public static IP address. Your IP address might be blacklisted by DNSBL, Gmail, Yahoo! and other popular email service providers.
Your best bet in this situation is to use a properly configured external SMTP server. Chances are your employer has already provided an email account with SMTP access. If you don't have one you can use a Gmail account. Gmail provides SMTP access to all email accounts.
You can write scripts to open a socket connection to the external SMTP server. When there are tried and tested open source libraries for this purpose, why write your own?
Incidentally, I wrote a blog post on the very same subject yesterday: Using SMTP With Zend Framework - Solve Email Delivery Problem
Best regards,