Decision on a way forward: PHP mail

I noticed in my post Chroot and /etc/ssl/certs for PHP curl - #5 by beat that the mail function in PHP not working in FPM mode and that using the direct SMTP method does not work if you have a secure setup and require TLS (STARTTLS). The CA bundle is not loaded in a chrooted environment (see this post: Chroot and /etc/ssl/certs for PHP curl - #3 by RobertoPastor ). @Joe confirmed a solution here Localhosted website only: Postfix TLS error "...error:0A000418:SSL routines::tlsv1 alert unknown ca..." but that is not integrated in a new version (so it would be a manual change). Will VirtualMin address this issue (soon) or should we use the solution from @giannis as the “official” solution to this problem (BTW: this is not a full solution, because it does not link to the Let’s Encrypt facility to keep the certificates created this way to stay up to date automatically)?

I didn’t have any plans to change the default chroot jail configurations. We ship what comes with the jailkit package.

If you’re using the chroot, you have high expectations for how locked down the system is, I wouldn’t want to open up new surprises, especially WRT email.

So, yes, if you want users/scripts to be able to send mail from inside the chroot and you have configured your system in such a way that it needs TLS, you’ll need to provide everything that is required for setting up TLS connections inside your chroot.

That said, I think you could also just let users send locally without TLS. It never traverses the network so passwords are not at risk (they are discoverable by root, but they are already discoverable by root if they are stored on the system somewhere). The default configuration of Virtualmin’s mail stack would not require this extra stuff in the chroot for sending mail.

Clear. Thanks for sharing your vision on the roadmap and the explanation. Probably the easiest way forward is to indeed change the postfix master.cf for only the localhost (note to self: to prep for IPv6-only servers, don’t forget ::1) “submission” configuration to not require encryption.

However, the CA bundle configuration is also needed in PHP for things like cURL, stream_socket_client() or openssl_connect() if one connects using encryption (which is most often the case). So, in my understanding, we will eventually need to be able to find a better solution.

PS: Could adding an “additional FPM Pool Options” like php_value[openssl.cafile] to the “Server Templates” be an option (adding it to the uidbasics config)?

The default configured during Virtualmin installation is STARTTLS on the submission port, which means TLS is negotiable. The client can decide what to do with it.

We already know the solution, don’t we? You just put the CA bundle in the jail, along with whatever shared libraries are needed.

I can be convinced we need a way to set additional options, but if you install the CA bundle in the right location by using the JailKit tools or config file, you won’t need to tell it where to find the CA bundle because it’ll be in the same location in the chroot as it is in the regular filesystem, and thus libraries and tools will know where to find it. So, you shouldn’t need this option, but maybe folks need other options.

I still run into a problem:

Webmin - PHP Configuration - Edit Configuration Manually

uncomment and set:

openssl.cafile = “/etc/ssl/certs/ca-certificates.crt”

Restart FPM: systemctl restart php8.2-fpm

Via SSH (as I do not have the Jailkit Manager module), edit: /etc/jailkit/jk_init.ini

append “, /etc/ssl/certs/ca-certificates.crt” to the “paths” line in the “[uidbasics]” section (as I did not know via which (sub) jail PHP’s FPM gets executed).

How to refresh the active jailkit config for that domain user?

jk_init -v -j /home/user jk_chrootsh

Does not seem to work (when I sudo into that user, I do not see the file).