Janhouse

To be sure that a server stays safe in case when one site is compromised, I try to lock every single site in its own chroot jail. To make it a bit easier I use Jailkit.

Since you probably don’t want to set up sendmail for each chroot, you could use mini_sendmail. It will work as relay and will pass messages to actual sendmail.

The problem is that there is no way to specify a custom username or hostname and this could be quite important in some cases.

In order to solve this problem I did some quick and dirty modifications and here is the patch in case you need it:

--- Makefile
+++ Makefile
@@ -7,10 +7,10 @@
 BINDIR =	/usr/local/sbin
 MANDIR =	/usr/local/man
 CC =		gcc
-CFLAGS =	-O
-#CFLAGS =	-g
-LDFLAGS =	-s -static
-#LDFLAGS =	-g -static
+#CFLAGS =	-O
+CFLAGS =	-g
+#LDFLAGS =	-s -static
+LDFLAGS =	-g -static
 LDLIBS =	$(SYSV_LIBS)

 CC :=		$(DIET) $(CC)
--- mini_sendmail.c
+++ mini_sendmail.c
@@ -65,6 +65,8 @@
 static char* argv0;
 static char* fake_from;
 static int parse_message, verbose;
+static char* helo;
+static char* user;
 #ifdef DO_MINUS_SP
 static char* server;
 static short port;
@@ -80,7 +82,7 @@
 static void usage( void );
 static char* slurp_message( void );
 #ifdef DO_RECEIVED
-static char* make_received( char* from, char* username, char* hostname );
+static char* make_received( char* from, char* user, char* helo );
 #endif /* DO_RECEIVED */
 static void parse_for_recipients( char* message );
 static void add_recipient( char* recipient, int len );
@@ -111,6 +113,7 @@
     argv0 = argv[0];
     fake_from = (char*) 0;
     parse_message = 0;
+	server = "localhost";
 #ifdef DO_MINUS_SP
     server = "127.0.0.1";
     port = SMTP_PORT;
@@ -124,6 +127,10 @@
 	    fake_from = &(argv[argn][2]);
 	else if ( strcmp( argv[argn], "-t" ) == 0 )
 	    parse_message = 1;
+	else if ( strncmp( argv[argn], "-h", 2 ) == 0 && argv[argn][2] != '\0' )
+	    helo = &(argv[argn][2]);
+	else if ( strncmp( argv[argn], "-u", 2 ) == 0 && argv[argn][2] != '\0' )
+	    user = &(argv[argn][2]);
 #ifdef DO_MINUS_SP
 	else if ( strncmp( argv[argn], "-s", 2 ) == 0 && argv[argn][2] != '\0' )
 	    server = &(argv[argn][2]);
@@ -162,14 +169,22 @@
 #endif /* DO_GETPWUID */
 	}

+	if ( user == (char*) 0 ){
+		user=username;
+	}
+
     if ( gethostname( hostname, sizeof(hostname) - 1 ) < 0 )
 	show_error( "gethostname" );

+	if ( helo == (char*) 0 ){
+		helo=username;
+	}
+
     if ( fake_from == (char*) 0 )
-	(void) snprintf( from, sizeof(from), "%s@%s", username, hostname );
+	(void) snprintf( from, sizeof(from), "%s@%s", user, helo );
     else
 	if ( strchr( fake_from, '@' ) == (char*) 0 )
-	    (void) snprintf( from, sizeof(from), "%s@%s", fake_from, hostname );
+	    (void) snprintf( from, sizeof(from), "%s@%s", fake_from, helo );
 	else
 	    (void) snprintf( from, sizeof(from), "%s", fake_from );

@@ -181,7 +196,7 @@

     message = slurp_message();
 #ifdef DO_RECEIVED
-    received = make_received( from, username, hostname );
+    received = make_received( from, user, helo );
 #endif /* DO_RECEIVED */

     (void) signal( SIGALRM, sigcatch );
@@ -209,7 +224,7 @@
 	exit( 1 );
 	}

-    (void) snprintf( buf, sizeof(buf), "HELO %s", hostname );
+    (void) snprintf( buf, sizeof(buf), "HELO %s", helo );
     send_command( buf );
     status = read_response();
     if ( status != 250 )
@@ -337,7 +352,7 @@

 #ifdef DO_RECEIVED
 static char*
-make_received( char* from, char* username, char* hostname )
+make_received( char* from, char* user, char* helo )
     {
     int received_size;
     char* received;
@@ -349,8 +364,8 @@
     tmP = localtime( &t );
     (void) strftime( timestamp, sizeof(timestamp), "%a, %d %b %Y %T %Z", tmP );
     received_size =
-	500 + strlen( from ) + strlen( hostname ) * 2 + strlen( VERSION ) +
-	strlen( timestamp ) + strlen( username );
+	500 + strlen( from ) + strlen( helo ) * 2 + strlen( VERSION ) +
+	strlen( timestamp ) + strlen( user );
     received = (char*) malloc( received_size );
     if ( received == (char*) 0 )
 	{
@@ -360,7 +375,7 @@
     (void) snprintf(
 	received, received_size,
 	"Received: (from %s)\n\tby %s (%s);\n\t%s\n\t(sender %s@%s)\n",
-	from, hostname, VERSION, timestamp, username, hostname );
+	from, helo, VERSION, timestamp, user, helo );
     return received;
     }
 #endif /* DO_RECEIVED */

Save it as some.patch. Move it inside mini_sendmail source directory and run:

patch -p0 < some.patch
make
cp mini_sendmail /to/jail/usr/bin/sendmail

You can specify username with -u and hostname (and HELO message) with -h parameter.

If you are going to use it with PHP, change sendmail_path in php.ini to something like this:

sendmail_path = /usr/bin/sendmail -s127.0.0.1 -p5555 -unoreply -hexample.com -fnoreply@example.com -t -i

This should make php connect to sendmail running on 127.0.0.1 port 5555 and send example.com as HELO and noreply as username.

Patch was made for version 1.3.6.

Tags: chroot, linkedin, linux, patch, php

This entry was posted on Sunday, February 13, 2011 at 00:53 and is filed under Coding. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

• Tweet