• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 999
  • Last Modified:

php mail function on selinux enabled server

I use php mail function to send emails on different RHEL server without a problem.

When I try to use the same script on RHEL server with selinux enabled I get following error.

 (reason: 550 5.7.1 Unable to relay for person@company.com)

Sendmail is working on this server, internal emails are getting sent to root and user1 etc.  They just don't make it to the regular email addresses.

With semanage I see:
smtp_port_t                    tcp      25


with iptables I see:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp


0
mcgilljd
Asked:
mcgilljd
  • 3
  • 3
1 Solution
 
arnoldCommented:
The issue is not with selinux but with the configuration of the mail server.
You using an SMTP session to send an email through a mail server.
This seems to be a limit on the mail server that you use.   I.e. how you connect to the mail server process it does not have your system's IP as allowed to relay.

Check the /var/log/maillog to see whether your mailing attempt is seen as coming from an IP that is not allowed to relay.
Check the /etc/mail configuration and you would either need to make sure that you grant the IP relay rights or configure your mailing function to use the localhost IPversus the LAN IP.
Or better still pipe the message into sendmail.
0
 
mcgilljdAuthor Commented:
I am using php  mail($to_input,$subject,$message,$headers);

On the other server, it looks like it is coming from apache.
0
 
mcgilljdAuthor Commented:
How do I ?

"Or better still pipe the message into sendmail."
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
arnoldCommented:
Ok, Do you get the 571 error message in the bounce (NDR)?

I.e. your local server takes the message and then tried to either send it through another server where it does not have relay rights.

You need to check the configuration of the local sendmail i.e. does it use a smarthost and if so, is the referneced smarthost configured to allow the webserver to relay?

http://www.w3schools.com/PHP/php_ref_mail.asp
I.e. web server/local smtp
Check the /var/log/maillog on the web server to see what happens to the message.
Based on the system to which it connects, you need to check it if it is internal. IF it is external I.E. ISP's Mailserver, you need to check why the web server's IP is not allowed to relay.

I believe that the issue is with the sendmail configuration/setup versus selinux.

For selinux, the mailing would not even be delivered to the sendmail process, and you would have sealert messages in /var/log/messages. as well as /var/log/audit/audit.log or /var/log/security/audit.log depending on your Linux distribution.
0
 
mcgilljdAuthor Commented:
You are on the right track, it doesn't look like selinux is the problem.

It looks like my specific problem is caused by the smarthost not recognizing the domain name.  It sees it as:      user1@machine1.mycompany.com    

If it saw it as user1@mycompany.com , I think it would work.

The smarthost is picking that up from somewhere, it is not what I am using as my $from: in the php script.

How do I get it to see me as  user1@mycompany.com
0
 
arnoldCommented:
This means that the smarthost is not configured to allow this host to relay.  All host when properly configured, accept emails destined for domains that they serve.

The smarthost is rearely configured to allow relaying based on the sender's email since there is no real way to verify the sender during an SMTP session.

The sender email is determined by From: and you may need to include it in the $headers that contains lines of additional headers.
Reerence: Example 2:
http://www.w3schools.com/PHP/func_mail_mail.asp


The other issue is that the From: header entry is not necessarily always the sender i.e. the email seen by the mail server as the sender (envelope sender).  This is a parameter set using the -f option passed to sendmail.




0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now