Issue Sendmail missing from chroot (Postfix)

[matrix]

Server operating system version

Debian 12

Plesk version and microupdate number

18.0.62 #2

Hello,
I'm suddenly getting an error when PHP scripts in chroot try to use the mail function (directly with mail or trough PHPMailer).
The error is /usr/sbin/sendmail not found. However, it was working just fine till yesterday.
I'm using postfix as mailserver and the sendmail sbin is just a symlink to the plesk wrapper.
Of course the users are allowed to use sendmail for cronjobs/scripts in their plans.
Thing I've tried:
1) Disable/reenable the mail setting checkbox for allowing sendmail in user scripts
2) Trying to manually add sendmail with update-chroot.sh
3) Trying to switch the user shell to bash (which has no problem btw) and then back to chroot.
4) Trying to rebuild the chroots from scratch
5) Running almost all the "plesk repair XXX" things.
I can't seem to get it working again.
I'm not sure why it broke, I was just adding some new executable int he chroot with the update-chroot script (like adding nano, find, mysqldump), and it suddenly broke.
I'm sure it was working before in chroot because I received mails from my own scripts till yesterday, now i just get a mail with the sendmail not found error.
I tried everything I could think of. Can anyone help?
Thanks

 

[matrix]

No one with this problem?

 

[Mark_NLD]

Have you tried (re)adding sendmail to the chroot environment?

https://support.plesk.com/hc/en-us/articles/12377962235159-How-to-add-programs-to-chrooted-shell-environment-template-in-Plesk

 

[matrix]

Have you tried (re)adding sendmail to the chroot environment?

https://support.plesk.com/hc/en-us/articles/12377962235159-How-to-add-programs-to-chrooted-shell-environment-template-in-Plesk

Point 2) of my post. Adding it manually wont work, also there is the setuid bit on the plesk wrapper which is dropped.

 

[La Linea]

"The error is /usr/sbin/sendmail not found."

What exactly do you get when you do a "ls -la /usr/sbin/sendmail" from within the chrooted environment?

"I'm using postfix as mailserver and the sendmail sbin is just a symlink to the plesk wrapper."

What is being returned when you "ls -la" on the linked wrapper?

Are there other symlinked items in that chroot under /usr/sbin/ that actually work?

 

[matrix]

"The error is /usr/sbin/sendmail not found."

What exactly do you get when you do a "ls -la /usr/sbin/sendmail" from within the chrooted environment?

"I'm using postfix as mailserver and the sendmail sbin is just a symlink to the plesk wrapper."

What is being returned when you "ls -la" on the linked wrapper?

Are there other symlinked items in that chroot under /usr/sbin/ that actually work?

There isn't /usr/sbin/sendmail by default, only if I add it manually with update-chroot.sh.
However when adding that way the symlink is broken anyway.
When manually fixing the symlink it complains about some other things when passing data to sendmail.
There isn't anything on the sbin folder by default, anything added by the update-shroot init is in bin (simple commands like ls, cat, etc).

However there must be something that allows to use sendmail in chroot by default, without doing anything. Because it was perfectly working, vanilla install with nothing touched in chrot, until i did a update-chroot.sh --rebuild because i wanted to reinit an user chroot. Since then the sendmail was broken for everyone in chroot.
Also, there is a specific checkbox in the Plesk UI to allow using sendmail by userscripts and cron, and that doesn't involve adding anything in chroot IIRCs. So there must be something that I'm missing to restore it as before.

I'll do some more tests later, and report if I fix it. But maybe if some Plesk dev can check this and tell me how it's configured initially with that checkbox, I can just recreate the same initial setup.

 

[La Linea]

There isn't /usr/sbin/sendmail by default, only if I add it manually with update-chroot.sh.
However when adding that way the symlink is broken anyway.

Yes, I know that it isn't available by default. There's not even the folder /usr/sbin/ existing. I just wanted to see what it looks like when you add it with update-chroot.sh script and if both the link and the target are accessible from within the chrooted shell.

However, since PHP is executed in a non-chrooted context by the web-server or by FPM ...

Did you probably activate the "Restrict the ability to follow symbolic links" settings in the "Apache & nginx Settings" for the given Domain(s)?

When manually fixing the symlink it complains about some other things when passing data to sendmail.

What do you mean by "manual fixing"?

There isn't anything on the sbin folder by default, anything added by the update-shroot init is in bin (simple commands like ls, cat, etc).

However there must be something that allows to use sendmail in chroot by default, without doing anything. Because it was perfectly working, vanilla install with nothing touched in chrot, until i did a update-chroot.sh --rebuild because i wanted to reinit an user chroot. Since then the sendmail was broken for everyone in chroot.
Also, there is a specific checkbox in the Plesk UI to allow using sendmail by userscripts and cron, and that doesn't involve adding anything in chroot IIRCs. So there must be something that I'm missing to restore it as before.

I'll do some more tests later, and report if I fix it. But maybe if some Plesk dev can check this and tell me how it's configured initially with that checkbox, I can just recreate the same initial setup.

Hope always dies last ...

 

[matrix]

However, since PHP is executed in a non-chrooted context by the web-server or by FPM ...

PHP CLI runs chrooted already for cron scripts. That's no problem to add following the update-chroot guide on Plesk KB.

Did you probably activate the "Restrict the ability to follow symbolic links" settings in the "Apache & nginx Settings" for the given Domain(s)?

OMG. That's probably it. I'll test later and report back.

What do you mean by "manual fixing"?

When you add sendmail with update-chroot.sh it gets added wrong. So you need to change the symlink to point to the correct location inside the chroot. That's what I meant. But again, that's probably because of the ability above. In my tests i was acopying booth the sendmail symlink and the plesk-wrapper by hand to make them work. The wrapper was wroking (meaning receiving requests with sendmail -t ...), but it was giving other errors (i don't remember which one now, did many tests, maybe something about resolving hosts or some other lib).

 

[matrix]

Did you probably activate the "Restrict the ability to follow symbolic links" settings in the "Apache & nginx Settings" for the given Domain(s)?

That wasn't it. That's only for apache, I'm using litespeed. And anyway it doesn't affect chroot or cron scripts.

I'm now in a situation where I manually added /usr/lib/plesk-9.0/postfix-sendmail-wrapper inside the chroot, removed the suid bin on this one only and created a symlink from /usr/sbin/sendmail to it. Now if I try to runs sendmail it says:
plesk-sendmail[2313000]: S2313000: cannot create temporary file - (2) No such file or directory
plesk-sendmail[2313000]: S2313000: Unable to save stdin content to temporary file
I'm almost there but I don't know what it's looking for. Maybe some temp folder to create inside chroot IDK. (If this is the coorect way to fix it anyway)

 

[matrix]

I'm now in a situation where I manually added /usr/lib/plesk-9.0/postfix-sendmail-wrapper inside the chroot, removed the suid bin on this one only and created a symlink from /usr/sbin/sendmail to it. Now if I try to runs sendmail it says:
plesk-sendmail[2313000]: S2313000: cannot create temporary file - (2) No such file or directory
plesk-sendmail[2313000]: S2313000: Unable to save stdin content to temporary file
I'm almost there but I don't know what it's looking for. Maybe some temp folder to create inside chroot IDK. (If this is the coorect way to fix it anyway)

I made another step by adding the spool folder inside chroot. However I'm now getting:
plesk-sendmail[2371173]: S2371173: Unable to get mail user passwd record (0): Success
plesk-sendmail[2371173]: S2371173: Unable to get mail group passwd record (0): Success
plesk-sendmail[2371173]: S2371173: Unable to get mail user uid or gid.
And ofc I can't add those in chroot without creating a security risk (at that point it's almost the same as giving bash to everyone).
So I just deleted everything I did and I'm stuck again with the original problem/situation.

 

[mizar]

Hello!

I doubt that it's enough to add /usr/sbin/sendmail to the chroot to make it send the emails - because postfix sendmail need to write file to the postfix queue, which is out of the chroot, and cannot be easily added. May be emails was send via SMTP or by cron itself?

 

[matrix]

Hello!

I doubt that it's enough to add /usr/sbin/sendmail to the chroot to make it send the emails - because postfix sendmail need to write file to the postfix queue, which is out of the chroot, and cannot be easily added. May be emails was send via SMTP or by cron itself?

I don't know how plesk handles the sendmail usage inside chroot. That's why I wanted some Plesk dev to explain it so I can recreate it as it was before it broke.
The only thing I know is that it's possible, because it worked before. So I just need to understand HOW to fix the chroot accordingly.
Also I don't even know why it broke. I didn't do anything "by hand" before, I was just using the Plesk UI and the update-chroot.sh script as they say in the KB. The update-chroot --rebuild probably broke it, but it shouldn't. It should recreate the original chroot env, just like a clean install.

 

[mizar]

I don't know how plesk handles the sendmail usage inside chroot. That's why I wanted some Plesk dev to explain it so I can recreate it as it was before it broke.
The only thing I know is that it's possible, because it worked before. So I just need to understand HOW to fix the chroot accordingly.
Also I don't even know why it broke. I didn't do anything "by hand" before, I was just using the Plesk UI and the update-chroot.sh script as they say in the KB. The update-chroot --rebuild probably broke it, but it shouldn't. It should recreate the original chroot env, just like a clean install.

But clean Plesk installation doesn't have a sendmail in the chroot and mail or sendmail commands doesn't work (and never works) in the chroot out of the box. I can only guess that previously your cron job works with non-chrooted shell.

 

[matrix]

But clean Plesk installation doesn't have a sendmail in the chroot and mail or sendmail commands doesn't work (and never works) in the chroot out of the box. I can only guess that previously your cron job works with non-chrooted shell.

Yes it does... At least on Deb12. it did for me till 3 days ago. There is even a specific flag in the Plek Mail server settings to Allow users to use sendmails in scripts.
If nothing else works i'll just use mini_sendmail or something like that...

 

[mizar]

Yes it does... At least on Deb12. it did for me till 3 days ago. There is even a specific flag in the Plek Mail server settings to Allow users to use sendmails in scripts.
If nothing else works i'll just use mini_sendmail or something like that...

It's applicable for any OS. And "Allow users to use sendmail" flag is unrelated to chroot and mostly intended to forbid sending emails via system users. Packing any SMTP client (mini_sendmail, msmtp or else) as /usr/bin/sendmail with appropriate configuration will do the work.

 

[matrix]

It's applicable for any OS. And "Allow users to use sendmail" flag is unrelated to chroot and mostly intended to forbid sending emails via system users. Packing any SMTP client (mini_sendmail, msmtp or else) as /usr/bin/sendmail with appropriate configuration will do the work.

Then I don't know what else could be causing it. What I know is that right after the server setup I was receiving mail for my cron in chrooted bash (a script that runs every 4 hours and reports back). Then suddenly it stopped working. Unfortunately when I noticed it the first time it was already too late to find the culprit, I did many changes to various config, used root ssh a lot and used update-chroot.sh a lot.
Anyway I fixed it now by compiling mini_sendmail, using update-chroot.sh to put it in every chroot as /usr/sbin/sendmail, and then adding 127.0.0.1 as mynetworks (using permit mynetworks) in postfix main.cf. I didn't want to take this way but at this point I couldn't think of anything else and I needed it working ASAP.