Jailkit, mini_sendmail and custom HELO

To be sure that a server stays safe in case when one site is compromised, I try to lock every single site in its own chroot jail. To make it a bit easier I use Jailkit.

Since you probably don’t want to set up sendmail for each chroot, you could use mini_sendmail. It will work as relay and will pass messages to actual sendmail.

The problem is that there is no way to specify a custom username or hostname and this could be quite important in some cases.

In order to solve this problem I did some quick and dirty modifications and here is the patch in case you need it:

--- Makefile
+++ Makefile
@@ -7,10 +7,10 @@
BINDIR = /usr/local/sbin
MANDIR = /usr/local/man
CC = gcc
-CFLAGS = -O
-#CFLAGS = -g
-LDFLAGS = -s -static
-#LDFLAGS = -g -static
+#CFLAGS = -O
+CFLAGS = -g
+#LDFLAGS = -s -static
+LDFLAGS = -g -static
LDLIBS = $(SYSV_LIBS)

CC := $(DIET) $(CC)
--- mini_sendmail.c
+++ mini_sendmail.c
@@ -65,6 +65,8 @@
static char* argv0;
static char* fake_from;
static int parse_message, verbose;
+static char* helo;
+static char* user;
#ifdef DO_MINUS_SP
static char* server;
static short port;
@@ -80,7 +82,7 @@
static void usage( void );
static char* slurp_message( void );
#ifdef DO_RECEIVED
-static char* make_received( char* from, char* username, char* hostname );
+static char* make_received( char* from, char* user, char* helo );
#endif /* DO_RECEIVED */
static void parse_for_recipients( char* message );
static void add_recipient( char* recipient, int len );
@@ -111,6 +113,7 @@
argv0 = argv[0];
fake_from = (char*) 0;
parse_message = 0;
+ server = "localhost";
#ifdef DO_MINUS_SP
server = "127.0.0.1";
port = SMTP_PORT;
@@ -124,6 +127,10 @@
fake_from = &(argv[argn][2]);
else if ( strcmp( argv[argn], "-t" ) == 0 )
parse_message = 1;
+ else if ( strncmp( argv[argn], "-h", 2 ) == 0 && argv[argn][2] != '\0' )
+ helo = &(argv[argn][2]);
+ else if ( strncmp( argv[argn], "-u", 2 ) == 0 && argv[argn][2] != '\0' )
+ user = &(argv[argn][2]);
#ifdef DO_MINUS_SP
else if ( strncmp( argv[argn], "-s", 2 ) == 0 && argv[argn][2] != '\0' )
server = &(argv[argn][2]);
@@ -162,14 +169,22 @@
#endif /* DO_GETPWUID */
}

+ if ( user == (char*) 0 ){
+ user=username;
+ }
+
if ( gethostname( hostname, sizeof(hostname) - 1 ) < 0 )
show_error( "gethostname" );

+ if ( helo == (char*) 0 ){
+ helo=username;
+ }
+
if ( fake_from == (char*) 0 )
- (void) snprintf( from, sizeof(from), "%s@%s", username, hostname );
+ (void) snprintf( from, sizeof(from), "%s@%s", user, helo );
else
if ( strchr( fake_from, '@' ) == (char*) 0 )
- (void) snprintf( from, sizeof(from), "%s@%s", fake_from, hostname );
+ (void) snprintf( from, sizeof(from), "%s@%s", fake_from, helo );
else
(void) snprintf( from, sizeof(from), "%s", fake_from );

@@ -181,7 +196,7 @@

message = slurp_message();
#ifdef DO_RECEIVED
- received = make_received( from, username, hostname );
+ received = make_received( from, user, helo );
#endif /* DO_RECEIVED */

(void) signal( SIGALRM, sigcatch );
@@ -209,7 +224,7 @@
exit( 1 );
}

- (void) snprintf( buf, sizeof(buf), "HELO %s", hostname );
+ (void) snprintf( buf, sizeof(buf), "HELO %s", helo );
send_command( buf );
status = read_response();
if ( status != 250 )
@@ -337,7 +352,7 @@

 #ifdef DO_RECEIVED
static char*
-make_received( char* from, char* username, char* hostname )
+make_received( char* from, char* user, char* helo )
{
int received_size;
char* received;
@@ -349,8 +364,8 @@
tmP = localtime( &t );
(void) strftime( timestamp, sizeof(timestamp), "%a, %d %b %Y %T %Z", tmP );
received_size =
- 500 + strlen( from ) + strlen( hostname ) * 2 + strlen( VERSION ) +
- strlen( timestamp ) + strlen( username );
+ 500 + strlen( from ) + strlen( helo ) * 2 + strlen( VERSION ) +
+ strlen( timestamp ) + strlen( user );
received = (char*) malloc( received_size );
if ( received == (char*) 0 )
{
@@ -360,7 +375,7 @@
(void) snprintf(
received, received_size,
"Received: (from %s)\n\tby %s (%s);\n\t%s\n\t(sender %s@%s)\n",
- from, hostname, VERSION, timestamp, username, hostname );
+ from, helo, VERSION, timestamp, user, helo );
return received;
}
#endif /* DO_RECEIVED */

Save it as some.patch. Move it inside mini_sendmail source directory and run:

patch -p0 < some.patch
make
cp mini_sendmail /to/jail/usr/bin/sendmail

You can specify username with -u and hostname (and HELO message) with -h parameter.

If you are going to use it with PHP, change sendmail_path in php.ini to something like this:

sendmail_path = /usr/bin/sendmail -s127.0.0.1 -p5555 -unoreply -hexample.com -fnoreply@example.com -t -i

This should make php connect to sendmail running on 127.0.0.1 port 5555 and send example.com as HELO and noreply as username.

Patch was made for version 1.3.6.

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published.