Sendmail and SELinux are not friends?

Support for security such as Firewalls and securing linux
bertalanimre
Posts: 133
Joined: 2015/06/02 13:04:03

Sendmail and SELinux are not friends?

Postby bertalanimre » 2017/12/07 08:29:35

I have just set a webserver up with NginX and PHP-FPM, etc... However sending mail from the website is not working if selinux is turned on. I've even tried to allow the nginx user to send email with the command: setsebool -P httpd_can_sendmail=on

However, this has no effect. Any ideas?

In my Laravel project I get the following error:

Code: Select all

Swift_TransportException thrown with message "Expected response code 220 but got code "", with message """

bertalanimre
Posts: 133
Joined: 2015/06/02 13:04:03

Re: Sendmail and SELinux are not friends?

Postby bertalanimre » 2017/12/07 08:58:51

Also in /var/log/audit/audit.log

Code: Select all

type=AVC msg=audit(1512637095.217:334478): avc:  denied  { execute } for  pid=6698 comm="sendmail" name="smtpd" dev="vda1" ino=20576 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:postfix_smtpd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1512637095.217:334478): arch=c000003e syscall=59 success=no exit=-13 a0=558c6362ccc0 a1=558c6362cc60 a2=558c6362ca30 a3=4 items=0 ppid=25939 pid=6698 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
type=PROCTITLE msg=audit(1512637095.217:334478): proctitle=2F7573722F7362696E2F73656E646D61696C002D6273

User avatar
TrevorH
Forum Moderator
Posts: 21161
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sendmail and SELinux are not friends?

Postby TrevorH » 2017/12/07 10:25:33

setsebool -P httpd_can_sendmail=on allows httpd to connect to port 25. Your code appears to be trying to invoke the sendmail binary to send mail.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

bertalanimre
Posts: 133
Joined: 2015/06/02 13:04:03

Re: Sendmail and SELinux are not friends?

Postby bertalanimre » 2017/12/07 10:54:05

TrevorH wrote:setsebool -P httpd_can_sendmail=on allows httpd to connect to port 25. Your code appears to be trying to invoke the sendmail binary to send mail.


What do you mean? Isn't that what supposed to happen when I use sendmail from a webapplication like Laravel?

hunter86_bg
Posts: 800
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Sendmail and SELinux are not friends?

Postby hunter86_bg » 2017/12/07 16:55:00

Usually , when I wonder why SELinux is giving me a headache,I run

Code: Select all

sealert -a /var/log/audit/audit.log
.
It's quite explanatory.

bertalanimre
Posts: 133
Joined: 2015/06/02 13:04:03

Re: Sendmail and SELinux are not friends?

Postby bertalanimre » 2017/12/08 09:49:48

This did not help me Hunter :( It showed me the errors, indeed and the solution. They were:

Code: Select all

SELinux is preventing /usr/sbin/postdrop from using the setrlimit access on a process.
allow this access for now by executing:
# ausearch -c 'postdrop' --raw | audit2allow -M my-postdrop
# semodule -i my-postdrop.pp

SELinux is preventing /usr/sbin/sendmail.postfix from execute access on the file smtpd.
allow this access for now by executing:
# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
# semodule -i my-sendmail.pp


But after the settings change, sendmail still cannot send mail if the command arrives from my laravel website :(

Code: Select all

I get:
Swift_TransportException thrown with message "Expected response code 220 but got code "", with message """


Loging the mail only or preview-it on the website works. But I need obviously sendmail.

hunter86_bg
Posts: 800
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Sendmail and SELinux are not friends?

Postby hunter86_bg » 2017/12/10 14:40:47

In order to log all errors , you need to reproduce the problem while SELinux is in permissive mode.
Once all issues are being logged - only then sealert can analyse the logs and help you.
Try TrevorH's solution first.

User avatar
TrevorH
Forum Moderator
Posts: 21161
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sendmail and SELinux are not friends?

Postby TrevorH » 2017/12/10 15:40:56

Or perhaps read https://laravel.com/docs/5.0/mail and notice that the 'sendmail' driver is the one mentioned last in their options list and is thus the least preferred option. Pick one of the others instead.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

bertalanimre
Posts: 133
Joined: 2015/06/02 13:04:03

Re: Sendmail and SELinux are not friends?

Postby bertalanimre » 2017/12/11 10:30:34

Thanks Trevor,

It is going to be a headache but I'll have to find a solution for this later in the future, but not in 2017 anymore. The owner of the webapp doesn't own an SMTP server and wishes to keep using sendmail and honestly. I can't blame him. Normally it works like a charm, the domain records are all set up to recognise the server as trusted by google and other email providers. Plus they don't want to receive any email to that particular email address, it is just there to look better when sending notifications. Like a no-reply@something.com.

So thanks again, I'll keep this open and I'll post any solution that I find in 2018.

If I'm not gonna come back to you guys, then I wish You a Merry Christmas and a Happy New Year! :)

User avatar
TrevorH
Forum Moderator
Posts: 21161
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sendmail and SELinux are not friends?

Postby TrevorH » 2017/12/11 11:05:09

The owner of the webapp doesn't own an SMTP server


Apart from the one on 127.0.0.1?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke