selinux 阻止 PHP/Roundcube 连接到本地 SMTP 或 IMAP 端口

tag-icon tag-icon imap smtp centos-7 selinux roundcube
selinux 阻止 PHP/Roundcube 连接到本地 SMTP 或 IMAP 端口

编辑:我已确定原因是 selinux。禁用强制后setenforce 0一切正常。所以新的问题是,selinux 怎么了?我只有默认的 CentOS 7 策略。

我已经在 CentOS 7 上配置了 RoundCube 邮件

<?php
  $config['db_dsnw'] = 'mysql://roundcube:redacted@localhost/webmail';
  $config['default_host'] = 'localhost';
  $config['default_port'] = 993;
  $config['smtp_server'] = 'localhost';
  $config['smtp_port'] = 587;
  $config['smtp_user'] = '%u';
  $config['smtp_pass'] = '%p';
  $config['support_url'] = '';
  $config['des_key'] = 'redacted';
  $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'filesystem_attachments', 'help', 'hide_blockquote', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'userinfo', 'vcard_attachments', 'zipdownload');
  $config['language'] = 'en_US';
  $config['spellcheck_engine'] = 'pspell';
  $config['htmleditor'] = 2;
  $config['draft_autosave'] = 60;
  $config['preview_pane'] = true;

当我测试 SMPT 时,出现错误:

Trying to send email...
SMTP send:  NOT OK(Connection failed: Failed to connect socket: Permission denied)

使用 IMAP 时:

Connecting to localhost...
IMAP connect:  NOT OK(Login failed for user from my.ip.ad.dr Could not connect to localhost:993: Permission denied)

但是……端口没问题。它们是开放的。我已经验证了这一点:

$ openssl s_client -connect 127.0.0.1:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect 127.0.0.1:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...

iptables未安装,firewalld则用来代替它。

我已将其取下来firewalld进行测试。

知道这里发生什么事了吗?

$ uname -a
Linux gbox 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux`
$ cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)`
$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jun 27 2018 13:48:59
$ php -v
PHP 5.4.16 (cli) (built: Apr 12 2018 19:02:01)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
$ postconf -d | grep mail_version
mail_version = 2.10.1
$ dovecot --version
2.2.10

答案1

所以,这是 selinux。深入挖掘并记住如何读取审计日志后,我想出了:

setsebool -P httpd_can_network_connect 1

这允许 httpd 通过网络发起套接字连接(据我所知)。

答案2

如果你使用 unix 域套接字而不是 TCP/IP,则 (可能) 默认会起作用:

$config['db_dsnw'] = 'mysql://roundcube:redacted@unix(/run/mysqld/mysqld-roundcube.sock)/roundcubemail';

相关内容