Server setting are:

  1. Apache2
  2. Nginx
  3. Php5
  4. Exim4
  5. VestaCP
  6. Ubuntu

Some of the control panel/or less experienced server admin will¬†install the mail system with an implicit “trust” of localhost. The php mail() function will use localhost (as will roundcube then by default) and this doesn’t require authentication of a local user to send mail.

The issue with this, is that if you are hosting a website on the same installation, and that website gets hacked with a php shell or other (happens to wordpress, joomla, drupal all the time) then that exploit can turn your installation into a spam generator as your hacked site can make use of the php mail() function and send mail at will without authentication. From my experience they are able to send out 50k email in one day

We got around this by requiring auth to smtp (exim) through the whole system:


Method for PHP5.5 and before
We have to edit sendmail_path in php.ini

1. nano /etc/php5/apache2/php.ini
2. Edit line sendmail_path = and change into sendmail_path = "/dev/null"
3. Save

Method for PHP5.6 and after
The newest php version installed on server does not allow global settings (such as execution time, max upload filesize, max post file size, etc.) to be changed.

Folow these steps to resolve the issue:
1. nano /etc/php5/apache2/conf.d/user.ini
2. Add sendmail_path = "/dev/null" line inside /etc/php5/apache2/conf.d/user.ini
3. Save
4. Use this ini file for any custom settings.


Edit Roundcube configuration
After you have changed the setting in php, you have to change the setting in roundcube
nano /etc/roundcube/
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';

*Location for Centos php.ini is at /etc/php.ini

Leave a Reply