I am using PHP with Apache on Linux, with Sendmail. I use the PHP mail function. The email is sent, but the envelope has the Apache_user#localhostname in MAIL FROM (example nobody#conniptin.internal) and some remote mail servers reject this because the domain doesn't exist (obviously). Using mail, can I force it to change the envelope MAIL FROM?
EDIT: If I add a header in the fourth field of the mail() function, that changes the From field in the headers of the body of the message, and DOES NOT change the envelope MAIL FROM.
I can force it by spawning sendmail with sendmail -t -odb -oi -frealname#realhost and piping the email contents to it. Is this a better approach?
Is there a better, simpler, more PHP appropriate way of doing this?
EDIT: The bottom line is I should have RTM. Thanks for the answers folks, the fifth parameter works and all is well.
mail() has a 4th and 5th parameter (optional). The 5th argument is what should be passed as options directly to sendmail. I use the following:
mail('to#blah.com','subject!','body!','From: from#blah.com','-f from#blah.com');
PHP Official documentation for mail()
bool mail ( string $to , string $subject , string $message [, string
$additional_headers [, string $additional_parameters ]] )
...
additional_parameters (optional)
The additional_parameters parameter can be used to pass additional
flags as command line options to the program configured to be used
when sending mail, as defined by the sendmail_path configuration
setting. For example, this can be used to set the envelope sender
address when using sendmail with the -f sendmail option.
This parameter is escaped by escapeshellcmd() internally to prevent
command execution. escapeshellcmd() prevents command execution, but
allows to add additional parameters. For security reasons, it is
recommended for the user to sanitize this parameter to avoid adding
unwanted parameters to the shell command.
Since escapeshellcmd() is applied automatically, some characters that
are allowed as email addresses by internet RFCs cannot be used. mail()
can not allow such characters, so in programs where the use of such
characters is required, alternative means of sending emails (such as
using a framework or a library) is recommended.
The user that the webserver runs as should be added as a trusted user
to the sendmail configuration to prevent a 'X-Warning' header from
being added to the message when the envelope sender (-f) is set using
this method. For sendmail users, this file is /etc/mail/trusted-users.
You can try this (im not sure tho):
ini_set("sendmail_from", yourmail#example.com);
mail(...);
ini_restore("sendmail_from");
I would also recommend checking into PHPMailer. It's great for creating and sending email, making the process a lot easier, along with support for SMTP.
following to php manual additinal -f parameter need to be passed to mail function
Not as many write here "-f from#email.com" but without white space "-ffrom#email.com"
https://www.php.net/manual/en/function.mail.php
What you actually need to do is change the hostname of the machine Apache is running on, plus the user Apache is running as.
In your current case it is:
Apache user:nobody
Server hostname: conniptin.internal
Changing those two values is pretty simple and will solve the root of your problem.
Although if you need to do it from PHP then perhaps use the system/exec functions. I do not think it will work in practice though, as you need to restart Apache and probably also the entire host for the new names to be used.
Related
We have shared hosting servers which use PHP fastcgi (on IIS) for several clients (shared hosting). Regularly clients use old exploitable code which causes holes in their applications that eventually gets used by hackers to install malicious code. Most of the time this code is being used to send spam from our servers.
We have no control over our clients code, so patching the holes is quite impossible.
We would however like to block the clients sending spam once they send more then X email messages in Y amount of time.
The setup is fastcgi based, so there is little relation between php and the webserver.
PHP sends its mail through SMTP on localhost. The mailserver allows relay of all localhost connections (obviously).
One thing that goes through my mind is setting an environment variable containing an identifier in the fastcgi environment and using php's prepend file option to add a header to all mail send by php's mailer. After that we could use that mail header to identify the spamming culprit.
The option above still would not take care of spam scripts using regular telnet (telnet localhost, HELO, MAIL FROM etc... ) when sending email.
My question to you: is the idea that i've mentioned the best and perhaps only option to deal with our issue? Or are there better solutions for this situation? And if so, please explain how you would deal with the issue.
You can filter that on you MTA (message transfer agent). For example, allow no more than 50 emails in 1 hour for each user in Exim ( http://www.exim.org ) config file (/etc/exim/exim.conf):
begin acl
acl_check_not_smtp:
warn ratelimit = 0 / 1h / strict / $sender_address_local_part
log_message = Sender rate $sender_rate / $sender_rate_perio
acl_not_smtp = acl_not_smtp
begin acl
acl_not_smtp:
deny message = Sender rate overlimit - $sender_rate / $sender_rate_period
ratelimit = 50 / 1h / strict
accept
And no matter how they try to send, via php mail() or other method.
Most shared hosts block the use of PHP's mail() function, as that can be easily exploited. Instead they advice using sendmail or similar scripts which require SMTP authentication before sending. Assuming you're not already doing this, once implemented, you should be able to keep track of number of emails sent from a particular domain/email account and put restrictions on it.
Okay, stick with me on this one. I have not implemented it but it looks good.
The concept here is that you could
run a php file before EVERY page on your customers site
in that php file rename the mail function to mail_internal().
in that php create a new function called mail to do your check / verification that your customer is allowed to send mail, and if they are call the mail_internal() function with the same parameters.
You will have to install the runkit PECL extension
http://us.php.net/manual/en/runkit.installation.php
Changes
in php.ini
auto_prepend_file /var/www/allclients_forcedfile.php
in /var/www/allclients_forcedfile.php
runkit_function_rename ( "mail" , "mail_internal" );
function mail ( $to , $subject , $message, $additional_headers = "", $additional_parameters ="" )
{
$args = func_get_args();
error_log("mail_internal : $_SERVER[HTTP_HOST] : ".implode(" : ",$args));
//lookup whether you want to send more mail for this client maybe by keeping a counter in some file in the $SERVER[DOCUMENT_ROOT]
if($sendmoremail)
return mail_internal ( $args[0], $args[1] , $args[2], $args[3] , $args[4] );
return false;
}
As expected it seems Stack Overflow is not the right place for this question. The provided answers do not expose some clear method to identify FastCGI sessions' connections to the MTA (SMTP) server.
I will go with my initial concept of adding an identifier to php's environment. This identifier can be read in PHP's prepend file by using the getenv() function. This identifier can then be added to mail headers for outgoing mail.
Furthermore I have enabled the mail.add_x_header ini setting which will help identify which script caused the spam run.
I am leaving the question open for the bounty duration, hoping other options will magically appear :)
In the php.ini, the sendmail_path is : -femail#site.com -t -i
But, in a subdomain, I need to send email with the sender : email#new.site.com
I tried to use
ini_set('sendmail_path',-femail#new.site.com),
but sendmail_path is system, so nothing append.
I tried to define sender in mail(), doesn't work (on the log of the server, the sender is still email#site.com, but in the email client, the sender is fine, but it doesn't matter).
I tried to define the 5th parameter, but the function just stop working (do nothing, no error).
Any suggestions ?
Thanks,
Greg
Think about how mail is configured in PHP - it's just a wrapper around an exec call (with some predefined arguments). Hence it's trivial to invoke sendmail via exec substituting your own aruments. This is described in the first comment on the page describing PHP mail config. You just need to composite your own headers (sendmail extracts the recipient addresses from the headers to fill in the envelope, any Bcc lines are stripped before the email is forwarded).
Another approach would be to use a SMTP capable abstraction layer such as swiftmailer or phpmailer - but you probably won't be able to use 'localhost' if it's configured as a slave relay.
Currently I have a mail server configured (a real one from my ISP) and mail internal and external works on the command line. In PHP only external users work.
For testing I would like to send to internal users only.
( Ideally I would like to set up lots of aliases that point to one user so mail to:
tom#localhost.com, dick#localhost.com, harry#localhost.com end up in /var/mail/johnsmith )
I'd be greatful if someone could help here. I'm hesitant to edit the postfix config files...
On the command line johnsmith#localhost works but not in PHP. It's using cakePHP and I checked the value of $email-addr just before the send ($this->Email->send();) and the value is johnsmith#localhost. I'm not that familiar with cakePHP yet. The var/log/mail shows nothing, only external email addresses.
(server is Suse linux)
You can use the basic mail php function
http://php.net/manual/en/function.mail.php
Under linux, mail php function relies on sendmail, just check that sendmail is properly installed.
In /etc/postfix/main.cf add localhost.com:
mydestination = $myhostname, localhost.$mydomain,localhost,localhost.com
This allows sending on "localuser#localhost.com" via command line. I loaded up a test php mail form script in a browser and it works, sending mail through to /var/mail/localuser.
At the moment it means I have to check each local users /var/mail file. I'm working on the alias. My first attempt at that failed.
Is the -f additional parameter correctly set in this mail function.
#mail("example#exmaple.com.uy",$title,$body,$headers,"-f");
I am Getting the X Warning from some servers.
Sorry for the basic question but some parts of the documentation got me confused (specially some user comments).
Thanks in advance!
From the manual:
The additional_parameters parameter
can be used to pass additional flags
as command line options to the program
configured to be used when sending
mail, as defined by the sendmail_path
configuration setting. For example,
this can be used to set the envelope
sender address when using sendmail
with the -f sendmail option.
The user that the webserver runs as
should be added as a trusted user to
the sendmail configuration to prevent
a 'X-Warning' header from being added
to the message when the envelope
sender (-f) is set using this method.
For sendmail users, this file is
/etc/mail/trusted-users.
source: http://www.astahost.com/info.php/Sending-Mail-Php39s-Mail-Function_t2728.html
The additional_parameters parameter
can be used to pass an additional
parameter to the program configured to
use when sending mail using the
sendmail_path configuration setting.
For example, this can be used to set
the envelope sender address when using
sendmail with the -f sendmail option.
You may need to add the user that your
web server runs as to your sendmail
configuration to prevent a 'X-Warning'
header from being added to the message
when you set the envelope sender using
this method. Example 3. Sending mail
with extra headers and setting an
additional command line parameter.
i.e:
<?php
mail("nobody#example.com", "the subject", $message,
"From: webmaster#{$_SERVER['SERVER_NAME']}", "-fwebmaster#{$_SERVER['SERVER_NAME']}");
?>
After -f you need to set the outgoing email address to prevent the warning (in this case its webmaster#-the domain-
If your machine runs on a linux server. Your apache install more than likely runs under the user 'www-data'.
you can figure this out easily by going to /etc/apache2 and typing
cat envvars | grep APACHE_RUN_USER
whatever is after '=' is what user apache is running as.
You need to add this user to the trusted-users file. This file is located at /etc/mail/trusted-users
just
nano /etc/mail/trusted-users
and write 'www-data'.
save and you should be good to go.
-f should be followed by the address you want as envelope address on your mail.
#mail("example#exmaple.com.uy",$title,$body,$headers,"-fexample#exmaple.com.uy");
Have you tried sending it without the -f flag?
The user that the webserver runs as
should be added as a trusted user to
the sendmail configuration to prevent
a 'X-Warning' header from being added
to the message when the envelope
sender (-f) is set using this method.
For sendmail users, this file is
/etc/mail/trusted-users.
You need to specify an email address after the -f flag. Like this: "-fexample#example.com". You may also need to add the user that your web server run as to your sendmail configuration.
What does the -f flag mean in the fifth parameter in the PHP mail function?
The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.
The user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a 'X-Warning' header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.
The fifth parameter is for sending command line flags to the server that actually handles sending the email. So not knowing what that really means, I did a google search and found a list of command line options for command line options for sendmail.
If I had to guess, not based on that page but on almost all other sites that mention that option in passing, it's for setting the "from" header at the server level rather than at the Header level. So you'd do
mail($stuff, $junk, $blah, $headers, '-fsender#server.org');