Option to disable mail function in PHP

  • I strongly recommend so that mail function can be disabled from the Php-editor section for each domain (adding a "mail" button in the "Value for the disable_functions directive").


    I encounter may websites with poor security that are spamming via php. The only option to stop them, as an server administrator without cutting the whole account, was to manualy edit the php setting by adding mail to disabled function. Unfortunately this is overwritten on the next update or by other reason.


    Thanks!

  • Hello ;


    Should be easy to add. I'll see if I can that in 1.2.12.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I strongly recommend so that mail function can be disabled from the Php-editor section for each domain (adding a "mail" button in the "Value for the disable_functions directive").


    I encounter may websites with poor security that are spamming via php. The only option to stop them, as an server administrator without cutting the whole account, was to manualy edit the php setting by adding mail to disabled function. Unfortunately this is overwritten on the next update or by other reason.


    Thanks!

    Hi! How do you do it manually? I've the same problem.

  • @redcloud


    Are you serious?


    Well just edit the php.ini files or pool file, according the httpd server implementation you use. You must just add the mail function to list of disabled functions (disable_functions directive).
    Once done, you must restart either Apache or the FPM instance, according the httpd server implementation you use.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hello ;


    Should be easy to add. I'll see if I can that in 1.2.12.

    Will this feature be implemented on a domain-basis or on a global (server) basis, it would be useful to do both.
    Maybe it's possible to allow/deny specific functions for specific domains. Some default values, but maybe add a field so admins/resellers can add/remove features themselves.

  • @theemstra



    Well, It will be implemented on a per domain-basis. In version 1.2.12, the PHP editor will really act on a per-domain basis, depending on the PHP configuration level that has been choosen by the administrator (per_user, per_domain or per_site). See the http://youtrack.i-mscp.net/issue/IP-582 ; please don't pollute this issue with your feature requests ;)


    Right now, the PHP editor don't provide way for acting globally for already created accounts... I'll change that in serie 1.3.x (according time constraints).


    For the custom PHP directives, this feature is planned for the serie 2. However, from my point of view,resellers shouldn't have control over that, or if so, We must allow the administrator to deny some PHP directives.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I may would also add a possibility that only the reseller can enable/disable the mail()-function, but not the customer itself. The reason is simple:

    • A unsecure website was infected / a website was infected via ftp
    • The website is sending spam unsing the mail()-function
    • Reseller disables the mail()-function for that domain instead of disabling the complete website
    • Client does not care how many spam mails will be send through server, only wants to be able to send mails via mail() because he has zero knowledge implementing smtp or also don't want to pay for a webdeveloper to clean is installation -> Enables mail()-function again
    • After some min/hours/days go back to 3.
  • @Ninos


    In order, I'll do as follow:


    Admin side


    Administrator can enable or disable mail function for the reseller.


    Reseller side


    If enabled for him by the administrator, the reseller can enable or disable the mail function for his customers


    Customer side


    If enabled for him by the reseller, customer can enable or disable the mail function.


    This is the most simple solution with current PHP Editor implementation (cascading permissions).


    Now, what about smtp related functions? From my point of view, we should do same for them. Why? Because SMTP restrictions in postfix main.cf permit local network without further check. This means that any mail sent from PHP using SMTP will be allowed without any authentication.


    From my point of view, we should be able to totally disable the mail feature for a specific customer. We could just force SASL authentication by moving up the permit_sasl_authenticated SMTP restrictions but I must test for possible side effects.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206