Hi Markus,
Markus Mayer wrote:
[MTA in chroot()'d env]
Yes, I'm afraid it requires an MTA.
Maybe it's a risk, but unsing PHP (or general non-static webpages) generally is a potential security risk #
Dan Bernstein, the author of qmail will pay you 1000$ if you exploit qmail. The offer stands since 1999. The money's still there, so it is a limited risk to install qmail in that environment. (If I found a way, I'd try; 1000$ is a lot beer and barbeque-stuff#)
I don't know how sensible security aspects are on your site, but for my needs it has always been safe enough. If you ever read through the sources you might have seen, that Dan kept an eye on very many aspects how software can be exploited and avoided all he could think of, even those he couldn't imagine being abused. (Actually, it taught me a lot on programming in general and on C in special)
Regarding a function that may override the internal mail()-function:
I'm not sure, but I think php's mail() just invokes the internal routine to queue mails in the local mta. Errorhandling in only performed in reading exit-status of sendmail -t -i...
sending mails directly is nontrivial in php, because you'll have to read the mx-record...
sending mails through an externel mta seems to me to have 2 stepping-stones:
1st Whatdayado if for any reason the external server is down only for 3 seconds?
2ndly It will slow down your script. It's not just forking a process, it's open a network connections, wait for the end to response, do a lot of protocol stuff etcetc....
But the idea of running a webserver chroot()'d sound so sweet to me, I'm going to check this out as soon as I have time for playing around a bit.#
best regards Markus
Have fun
Stephan
-- np: Grauzone - Wütendes Glas
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
