PHP-based sites not sending mail
I have also fresh installs tested several CMSes (such as Drupal, WordPress, Joomla, etc.), and none of them send it out either. I tested the CMSes on a different domain from the one that was transferred.
The transferred site used to be on the same server as it's Postfix server (which was transferred to a different machine, NOT to my Linode, that's the decision of the project leader for the site), so that could explain why it quit sending. The domain I'm testing the CMSes on is configured for Google Apps. In order to use the SMTP server for the transferred site, I would need to use a self signed certificate, and AFAIK Google Apps would require Google's certificate be added. Since I'm not familiar with configuring PHP, and since my experience with mail servers is fairly minimal, I have no idea how I would do this.
(BTW, I already tried point MyBB to the SMTP server it's supposed to use, and since it doesn't have the cert, it can't connect since the cert is required to connect to SMTP on the mail server).
EDIT: I've installed php and required modules from the dotdeb repositories:
root@li283-45:~# dpkg -l php*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=================================-=================================-==================================================================================
ii php-auth-sasl 1.0.4-1 Abstraction of various SASL mechanism responses
ii php-mail 1.2.0-2 PHP PEAR module for sending email
ii php-mail-mime 1.8.0-2 PHP PEAR module for creating MIME messages
ii php-mail-mimedecode 1.5.0-3 PHP PEAR module to decode MIME messages
ii php-mime-type 1.2.0-1 Utility class for dealing with MIME types
ii php-net-imap 1:1.1.0-1 Provides an implementation of the IMAP protocol
ii php-net-smtp 1.4.2-3 PHP PEAR module implementing SMTP protocol
ii php-net-socket 1.0.9-2 PHP PEAR Network Socket Interface module
ii php-pear 5.3.8-1~dotdeb.2 PEAR - PHP Extension and Application Repository
un php4-pear <none> (no description available)
ii php5 5.3.8-1~dotdeb.2 server-side, HTML-embedded scripting language (metapackage)
ii php5-cgi 5.3.8-1~dotdeb.2 server-side, HTML-embedded scripting language (CGI binary)
ii php5-cli 5.3.8-1~dotdeb.2 command-line interpreter for the php5 scripting language
ii php5-common 5.3.8-1~dotdeb.2 Common files for packages built from the php5 source
ii php5-curl 5.3.8-1~dotdeb.2 CURL module for php5
un php5-dev <none> (no description available)
ii php5-fpm 5.3.8-1~dotdeb.2 server-side, HTML-embedded scripting language (FPM-CGI binary)
ii php5-gd 5.3.8-1~dotdeb.2 GD module for php5
ii php5-gmp 5.3.8-1~dotdeb.2 GMP module for php5
ii php5-http 5.3.8-1~dotdeb.2 http module for php5
ii php5-imagick 5.3.8-1~dotdeb.2 imagick module for php5
ii php5-imap 5.3.8-1~dotdeb.2 IMAP module for php5
un php5-json <none> (no description available)
un php5-mhash <none> (no description available)
ii php5-mysql 5.3.8-1~dotdeb.2 MySQL module for php5
un php5-mysqli <none> (no description available)
ii php5-suhosin 5.3.8-1~dotdeb.2 suhosin module for php5
un phpapi-20090626+lfs <none> (no description available</none></none></none></none></none></none>
In case it matters, the site runs nginx 1.0.6 and php-fpm from dotdeb, and since all php-based software I've tried loads fine, I'm fairly certain my nginx/php-fpm config is fine. Just in case, my fastcgiparams (included in each vhost for the php location directive, with all settings specified only in fastcgiparams):
root@li283-45:~# cat /etc/nginx/fastcgi_params
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
13 Replies
The MTA can either send all the e-mails by itself (super easy), or it can be configured to forward all e-mails to your Postfix instance on another machine (a bit more complicated). If all you ever send is confirmation e-mails and password reminders, the first method is probably better. You just need to have a valid reverse DNS entry, and an SPF record that allows your web server to send e-mails on behalf of your domains. This was recently discussed in another thread of yours
PEAR Mail and a few other PHP libraries (such as SwiftMailer and PHPMailer) can use external SMTP servers directly. But even if these libraries are installed, CMSs that were designed to work with mail() will probably not make use of them. I'm not familiar with MyBB. Does it have options to use an external SMTP server? WordPress, on the other hand, definitely relies on mail() only.
I'm not sure what you mean by adding certificates. (Add them to what? PHP?)
@hybinet:
In order for the mail() function to work, a mail-sending program needs to be installed on the same machine. Usually this can be accomplished by installing Postfix, Sendmail, Exim, or some other MTA and configuring it to listen to localhost only. There's another thread right below this one where the same question is being discussed.
I was thinking of using my SMTP servers, but now that I know WordPress doesn't support SMTP (I'm considering it for my personal site), I may have to read through that.
> …
PEAR Mail and a few other PHP libraries (such as SwiftMailer and PHPMailer) can use external SMTP servers directly. But even if these libraries are installed, CMSs that were designed to work with mail() will probably not make use of them. I'm not familiar with MyBB. Does it have options to use an external SMTP server? WordPress, on the other hand, definitely relies on mail() only.
I'm not sure what you mean by adding certificates. (Add them to what? PHP?)
MyBB does support SMTP, but the certificates that I'm talking about are getting in they way. I need to add the certificates for the two mail servers to whatever is using the SMTP server to allow them to send mail. Currently that would only by MyBB since I don't control the DNS for the transferred site.
Since I have a SPF record from Google Apps inserted into my DNS and my reverse DNS pointing to my domain, would this be enough DNS configuration for WordPress? After that, would I need to adjust Postfix? Currently I have two domains in my Linode's DNS (this is excluding the transferred site since I don't control the DNS records); I have Postfix controlling the email for the non-Google Apps domain, and the with-GApps domain is the one I will want to configure for sending activation emails.
@Piki:
MyBB does support SMTP, but the certificates that I'm talking about are getting in they way. I need to add the certificates for the two mail servers to whatever is using the SMTP server to allow them to send mail. Currently that would only by MyBB since I don't control the DNS for the transferred site.
Are you trying to connect to your mail server using SSL and getting certificate errors? Does it work if you don't use SSL? (AFAIK you don't need to use SSL between two linodes in the same datacenter…)
@Piki:
Since I have a SPF record from Google Apps inserted into my DNS and my reverse DNS pointing to my domain, would this be enough DNS configuration for WordPress?
There should be an "a" somewhere in the SPF record. For example, if your SPF record is "v=spf1 include:spf.google.com ~all", change it to "v=spf1 a include:spf.google.com ~all".
@Piki:
After that, would I need to adjust Postfix?
Postfix should listen to localhost only (inetinterfaces = loopbackonly), and identify itself with a proper hostname that matches the reverse DNS for your server.
In general, sending e-mails is a completely different business from receiving e-mails. Anyone can send e-mails on behalf of your domain, unless prohibited by an SPF record or other conventions such as DKIM. (This is why it's so easy to send spam. A spammer can impersonate any domain that doesn't have proper SPF records.)
@hybinet:
@Piki:MyBB does support SMTP, but the certificates that I'm talking about are getting in they way. I need to add the certificates for the two mail servers to whatever is using the SMTP server to allow them to send mail. Currently that would only by MyBB since I don't control the DNS for the transferred site.
Are you trying to connect to your mail server using SSL and getting certificate errors? Does it work if you don't use SSL? (AFAIK you don't need to use SSL between two linodes in the same datacenter…)
I guess I should've been more clear when I mentioned about the mail server for the transferred site in my original post: The mail server isn't on a Linode, it isn't even controlled by me. Whilst we have an email address that I can use in MyBB, I can't remove the SSL settings. As for an error, the only error I get from MyBB is that the server refuses a connection. This is the same error I get in my email client if I refuse the self-signed certificate that is used for mail server access, which I'd expect if MyBB doesn't provide a way to accept the certificate. I can't get an error from the mail server itself since I don't have direct access aside from normal IMAP/POP3/SMTP via the SSL cert.
>
@Piki:
Since I have a SPF record from Google Apps inserted into my DNS and my reverse DNS pointing to my domain, would this be enough DNS configuration for WordPress?
There should be an "a" somewhere in the SPF record. For example, if your SPF record is "v=spf1 include:spf.google.com ~all", change it to "v=spf1 a include:spf.google.com ~all".
It didn't, I just added it.
>
@Piki:
After that, would I need to adjust Postfix?
Postfix should listen to localhost only (inetinterfaces = loopbackonly), and identify itself with a proper hostname that matches the reverse DNS for your server.
Wouldn't loopback_only block Postfix from connecting out through my Linode's public IP? Since I need Postfix in order to run the email server for my non-GApps domain, that would block me from sending and receiving emails on that domain, which I currently can't do until I can contact (either by phone or in person) a couple places that have the email I use on that domain. Unless I can run two instances of Postfix, each with it's own main.cf?
> In general, sending e-mails is a completely different business from receiving e-mails. Anyone can send e-mails on behalf of your domain, unless prohibited by an SPF record or other conventions such as DKIM. (This is why it's so easy to send spam. A spammer can impersonate any domain that doesn't have proper SPF records.)
I actually have both the GApps SPF and DKIM records in place. The changed SPF still needs to propagate, and I added the DKIM just a few hours ago, so that also needs to propagate.
(edited to correct quote tags)
@Piki:
This is the same error I get in my email client if I refuse the self-signed certificate that is used for mail server access, which I'd expect if MyBB doesn't provide a way to accept the certificate.
bbururrlghljdkjfjkjddfadf
… sorry, self-signed certificates make me a little queasy. What a stupid way to save a few bucks a year…
Anyway, stuff running on your system typically uses a central repository for SSL certificates, like /etc/ssl/certs/ on Ubuntu. You might be able to sneak the signing certificate in there. (This would have the bonus of actually checking the certificate.)
I'd explain more, but I have to finish wiring up this high-voltage transformer to the "Allow Exception for Certificate" button.
@hoopycat:
@Piki:bbururrlghljdkjfjkjddfadf
… sorry, self-signed certificates make me a little queasy. What a stupid way to save a few bucks a year…
After the DigiNotar debacle, trusted CAs don't seem so hot, either.
@Piki:
Wouldn't loopback_only block Postfix from connecting out through my Linode's public IP? Since I need Postfix in order to run the email server for my non-GApps domain, that would block me from sending and receiving emails on that domain, which I currently can't do until I can contact (either by phone or in person) a couple places that have the email I use on that domain. Unless I can run two instances of Postfix, each with it's own main.cf?
Which server are we talking about? I'm talking about the web server, which only needs to send e-mails and never receive anything. I was under the impression that you were using a different machine for sending & receiving.
If we're talking about a send-only web server, you can have it listen on loopback-only. This prevents other machines from sending mail to it, but it will not prevent the server itself from sending mail to other machines.
If we're talking about a server that is also handling incoming e-mail, then of course you shouldn't set it to loopback-only.
@Piki:
I actually have both the GApps SPF and DKIM records in place. The changed SPF still needs to propagate, and I added the DKIM just a few hours ago, so that also needs to propagate.
Note: Confirmation e-mails sent by WordPress and other PHP apps are not going to have DKIM signatures attached to them. This usually won't cause any problems, though.
@hoopycat:
@Piki:This is the same error I get in my email client if I refuse the self-signed certificate that is used for mail server access, which I'd expect if MyBB doesn't provide a way to accept the certificate.
bbururrlghljdkjfjkjddfadf
… sorry, self-signed certificates make me a little queasy. What a stupid way to save a few bucks a year…
Unless the guy who runs the mail server isn't spending those few bucks for the same reason he couldn't afford a real host. Money's always the issue, so unless there's a trustworthy CA that'll issue the same cert that we could buy from somewhere else, I doubt that's going to happen. And I doubt a trustworthy CA would do that for more than a day or two because that'd be way too much money lost and way too much bandwidth burned.
@hybinet:
@Piki:Wouldn't loopback_only block Postfix from connecting out through my Linode's public IP? Since I need Postfix in order to run the email server for my non-GApps domain, that would block me from sending and receiving emails on that domain, which I currently can't do until I can contact (either by phone or in person) a couple places that have the email I use on that domain. Unless I can run two instances of Postfix, each with it's own main.cf?
Which server are we talking about? I'm talking about the web server, which only needs to send e-mails and never receive anything. I was under the impression that you were using a different machine for sending & receiving.
For the transferred site, yes. For my with-GApps domain, yes. For my non-GApps domain, no. I want my non-GApps domain to send/receive using the same Postfix on as on the web server. I want my with-GApps domain and the transferred site to be the ones sending confirmation emails.
@Piki:
Since I have a SPF record from Google Apps inserted into my DNS and my reverse DNS pointing to my domain, would this be enough DNS configuration for WordPress? After that, would I need to adjust Postfix? Currently I have two domains in my Linode's DNS (this is excluding the transferred site since I don't control the DNS records); I have Postfix controlling the email for the non-Google Apps domain, and the with-GApps domain is the one I will want to configure for sending activation emails.
Hopefully that doesn't come off rude…
@Piki:
Unless the guy who runs the mail server isn't spending those few bucks for the same reason he couldn't afford a real host. Money's always the issue, so unless there's a trustworthy CA that'll issue the same cert that we could buy from somewhere else, I doubt that's going to happen. And I doubt a trustworthy CA would do that for more than a day or two because that'd be way too much money lost and way too much bandwidth burned.
The trouble is that self-signed certificates are evil two ways:
1) Unless the client has a trustworthy copy of the certificate (and trusts it), an error will be thrown. Conditioning users to bypass the error (i.e. ignore unverifiable certificates) means it's that much easier to perform a real MITM attack against other services.
2) For the specific service in question, an MITM attack would be trivial because the real certificate is untrusted. This means you have to trust the integrity of the network, and odds are good the whole reason SSL is being used in the first place is because the network cannot be trusted.
So, a self-signed certificate (unless the specific certificate is promulgated and trusted) is, at best, a bad idea for things not used by end users. If this service is used by regular users and they're just being told to ignore the error…
The two certificate vendors I tend to use most -- being value-conscious, of course -- are $8.95/yr$0.00/yr
(Where were we?)
Ah yes. The local Postfix installation will (should?) be able to send mail from addresses it doesn't receive mail for. If using 'localhost' as the outgoing SMTP server and/or sending mail using the 'mail' command doesn't work, there's likely a configuration problem… there might be something useful in the logs. But indeed, you shouldn't have to futz with sending out through the other server at all.
@hoopycat:
@Piki:Unless the guy who runs the mail server isn't spending those few bucks for the same reason he couldn't afford a real host. Money's always the issue, so unless there's a trustworthy CA that'll issue the same cert that we could buy from somewhere else, I doubt that's going to happen. And I doubt a trustworthy CA would do that for more than a day or two because that'd be way too much money lost and way too much bandwidth burned.
The trouble is that self-signed certificates are evil two ways:
1) Unless the client has a trustworthy copy of the certificate (and trusts it), an error will be thrown. Conditioning users to bypass the error (i.e. ignore unverifiable certificates) means it's that much easier to perform a real MITM attack against other services.
2) For the specific service in question, an MITM attack would be trivial because the real certificate is untrusted. This means you have to trust the integrity of the network, and odds are good the whole reason SSL is being used in the first place is because the network cannot be trusted.
So, a self-signed certificate (unless the specific certificate is promulgated and trusted) is, at best, a bad idea for things not used by end users. If this service is used by regular users and they're just being told to ignore the error…
End users don't use the mail server and the only people who do are project members. Since the current project members have been on the team for awhile, and since the mail server users a maildir in the user's home directory, those of us with email accounts on the mail server can, at our discretion, check to see if it's trustworthy. In a case like that, a self-signed certificate is perfectly safe. If we allowed end users to access our mail server, I'd offer to pay for the cert myself.
(btw, the whole reason I don't have access to the mail server is because I asked the guy who runs it to set it to auto-forward my emails to my normal email account, and I don't use IMAP/SMTP, so unless I plan to check out the mail server settings, there's no reason for me to have an account)
> …
(Where were we?)
Ah yes. The local Postfix installation will (should?) be able to send mail from addresses it doesn't receive mail for. If using 'localhost' as the outgoing SMTP server and/or sending mail using the 'mail' command doesn't work, there's likely a configuration problem… there might be something useful in the logs. But indeed, you shouldn't have to futz with sending out through the other server at all.
Possible to pull off when Postfix authenticates SMTP via Dovecot and Dovecot authenticates via /etc/passwd?
(edited to add final response)
(edit 2: nvm, just realized I can create a nologin no-home-dir user for that)
@Piki:
Possible to pull off when Postfix authenticates SMTP via Dovecot and Dovecot authenticates via /etc/passwd?
Yup. You'd permitmynetworks before permitsaslauthenticated on smtpdrecipient_restrictions, and ensure that 127.0.0.0/8 and [::1]/128 are in mynetworks. Then, it will allow localhost to send mail via SMTP without restriction.
Anyways, it's working now. I just need to make sure I have my iptables set right this time.