You cant use that either as CA Certs are missing (Can also be fixed),
However its not limited to it and not really a solution.
As we provide webhosting to a third party they expect “normal” methods to just work.
OK, then we have a winner lol.
I’ll test binding certs in to the jail as well.
What’s the easiest way to roll the changes to all jails and make it a default going forward?
I’m not used to using jailkit sorry.
That’s changing the topic. If OP wants sendmail (or a sendmail-like command) to work in a jail, that’s a reasonable ask.
Using some other method of sending email is also a valid solution, but may require code changes. I can’t figure out from the documentation of mail() on UNIX/Linux can be configured to use an SMTP server…it definitely can on Windows, but I haven’t found confirmation that the configuration works on Linux. I’m pretty sure I looked into it in the past, and maybe even tested it, and my gut is telling me you can make mail() send via SMTP instead of a command. But, I’m not really confident of that assertion. There’s an example of configuring it to do so on Windows here: PHP: mail - Manual
(You’d obviously want 127.0.0.1 and port 25 rather than the configuration used there. And no auth is needed for a local connection.)
Whether that works on Linux is what I don’t know.
But, there are ways to make sendmail (the command not the MTA) work in a jail, so if that’s what OP wants, that’s what OP should do.
You can add all the commands and files you want in the jail to the jail configuration using the Webmin Jailkit module or you can edit the jail definitions in /etc/jailkit/jk_init.ini
You need to add the changes to the actual jail you’re using for domain owner users (there are several examples in jk_init.ini, I don’t remember the default jail in Virtualmin but that’s also configurable). @Ilia recently added some additional Jailkit features, I think mostly in Virtualmin Pro, and one of those was a regenerate jails feature, I think.
There’s probably a simple way to do it on the command line, but you can also just disable the jail and re-enable it, I think? I haven’t spent much time with jails since we implemented it many years ago, as I don’t use them, but I think that’s how it works. The virtualmin CLI allows scripting this if you’re doing a lot of it. The modify-domain command has a --disable-jail and --enable-jail option. (Example here: Switch Jailkit setting using command line)
That can be scripted to run on all domains in a simple for loop (use the virtualmin list-domains --name-only command to get the list to loop over).
1 Like
Just make sure anything you put in a jail is done using jk_ utilities (anything you do regarding jails in Virtualmin/Webmin is also done using the jk_ utilities), because it protects you from accidentally putting setuid or setgid binaries into the jail, among other things.
setuid/gid binaries may provide an escape hatch out of the jail. Or worse, Debian/Ubuntu unfortunately don’t build jailkit with capabilities enabled (at least, the last time I checked), so using jails introduces the possibility of privilege escalation. Probably unlikely, but the jailing chroot is run with root privileges. On EL, the jailkit package enables capabilities support, which limits which root privileges are available and limits the attack surface dramatically.
1 Like
@Joe,
From what I just read on the page referenced, SMTP implementation is a “Windows only” feature. Linux uses the “sendmail” implementation.
My “suggestion” was meant as an alternative to trying to get sendmail working, as it would/should work regardless of a jailed environment. I tend to send via SMTP for all apps I develop and implement including those requested by clients (WordPress installs inclusive).
But that being said, the idea appears to have been rejected which is fine. Continue as you were.
This’s right, and Virtualmin Pro makes it much easier to manage jails and add extra commands to the jail using the proper underlying jk_ API.
Disabling and re-enabling the jail won’t clean it. Virtualmin Pro however has this one-click feature. But, in Virtualmin GPL it is has to be done manually by deleting the corresponding jail directory in /home/chroot, but only when the jail for the domain is disabled!
2 Likes
Thanks, i was aware of this earlier on my.test set, lets just say inset it up twice lol
are you new to Virtualmin?
the general virtualmin framework provides great security and isolation between each virtual server and website – so much so that many find jailkit no longer needed … have you had a moment to see what things look like without jailkit?
just a general observation and thought, as it appears lots of time is being spent on this jailkit issue.
It’s not that difficult, they figured it out using msmtp.
Though I don’t think jails provide all that much in the way of security, and they have their own risks, probably mitigated by using a build with capabilities as found on EL distros. They’re probably not worth the complexity for most folks, but for folks willing to put in a little extra work, they can work fine.
Hi Verne,
No, I’m not knew to it, I started using it when it was released.
As for a lot of time being spent on it I’m not so sure a couple of hours is really a lot of time.
Think of it more as educational and understanding in order to evaluate the need for jailkits
We tend to get people not updating Wordpress installs and then getting compromised and we are just trying to make sure that another website on the same server is safe under this situation.
Feel free to advise anything factual about it 
The upcoming Virtualmin WP Workbench Manager will provide you with a clear overview of all installed instances and allow you to update them all at once, including plugins and themes (wasn’t shown on the screenshot in the linked comment).
Jailkit doesn’t really have much impact on this. Domain owner users are already prevented from messing about with other domains. Everything runs as the domain owner user (as long as you’re not using mod_php), and domain owner users don’t have permissions to modify anything in other domain homes.
Theoretically, it might make it harder to escalate if the user needs some command outside the jail to perform the escalation (some setuid binary or something, maybe). But, also, on Debian/Ubuntu there is a theoretical risk of root escalation added to the equation by using Jailkit, since it isn’t built using capabilities and is itself running as root to chroot the user into the jail. I think these two theoretical risks cancel each other out. There might be an argument that using jails is a little safer than not using jails on EL distros, though, since it is built with capabilities and the risk of privilege escalation introduced by using Jailkit is probably mitigated.
In short: a chroot jail isn’t really a security feature, it’s more aesthetic. Users can’t see other domain homes when they ls /home. But, seeing is not the same as exploiting, and is harmless absent other exploitable conditions on the system.
1 Like
the only thing i have in the logs is this
[04-Aug-2025 23:57:02 UTC] PHP Warning: Attempt to read property “failed” on null in /home/etcmaryland/public_html/wp-content/plugins/smtp2go/app/SMTP2GOMailer.php on line 111
[04-Aug-2025 23:57:02 UTC] PHP Warning: Attempt to read property “data” on string in /home/etcmaryland/public_html/wp-content/plugins/smtp2go/app/SMTP2GOMailer.php on line 111
smtp2go is being blocked inside jalkit as i do not have any mta running directly on the server…never have..never will.
chroot does not do anything related to network. If you’re trying to send email via a relay outside of the server, chroot is not blocking it. chroot does not block network requests.
If there is a problem that doesn’t happen when your user is not in a chroot, it just means you’re missing some necessary library or executable in the chroot. Without an error telling us what is missing, I can’t tell you what to do about it.
with php-fpm enabled AND jailkit enabled the smtp2go plugin is blocked..and throws that error. with php-fpm on and jailkit disabled php mail and the smtp2go interception works fine. i ahve disabled jailkit on all servers. especially since you said that jailkit doesn’t do user isolation earlier…it’s not worth the headache.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.