MFC r256773:

Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled.

Reviewed by:    gshapiro
Approved by:	re (gjb)

3 files changed, 142 insertions, 0 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 6b037f3..05611d1 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -573,6 +573,8 @@ sendmail_enable="NO"	# Run the sendmail inbound daemon (YES/NO).
 sendmail_pidfile="/var/run/sendmail.pid"	# sendmail pid file
 sendmail_procname="/usr/sbin/sendmail"		# sendmail process name
 sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
+sendmail_cert_create="YES"	# Create a server certificate if none (YES/NO)
+#sendmail_cert_cn="CN"   	# CN of the generate certificate
 sendmail_submit_enable="YES"	# Start a localhost-only MTA for mail submission
 sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
 				# Flags for localhost-only MTA
diff --git a/etc/rc.d/sendmail b/etc/rc.d/sendmail
index 712bb3e..8247097 100755
--- a/etc/rc.d/sendmail
+++ b/etc/rc.d/sendmail
@@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${name}}
 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
 procname=${sendmail_procname:-/usr/sbin/${name}}
 
+CERTDIR=/etc/mail/certs
+
 case ${sendmail_enable} in
 [Nn][Oo][Nn][Ee])
 	sendmail_enable="NO"
@@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; then
 	sendmail_outbound_enable="NO"
 fi
 
+sendmail_cert_create()
+{
+	cnname="${sendmail_cert_cn:-`hostname`}"
+	cnname="${cnname:-amnesiac}"
+
+	# based upon:
+	# http://www.sendmail.org/~ca/email/other/cagreg.html
+	CAdir=`mktemp -d` &&
+	certpass=`(date; ps ax ; hostname) | md5 -q`
+
+	# make certificate authority
+	( cd "$CAdir" &&
+	chmod 700 "$CAdir" &&
+	mkdir certs crl newcerts &&
+	echo "01" > serial &&
+	:> index.txt &&
+
+	cat <<-OPENSSL_CNF > openssl.cnf &&
+		RANDFILE	= $CAdir/.rnd
+		[ ca ]
+		default_ca	= CA_default
+		[ CA_default ]
+		dir		= .
+		certs		= \$dir/certs		# Where the issued certs are kept
+		crl_dir		= \$dir/crl		# Where the issued crl are kept
+		database	= \$dir/index.txt	# database index file.
+		new_certs_dir	= \$dir/newcerts	# default place for new certs.
+		certificate	= \$dir/cacert.pem 	# The CA certificate
+		serial		= \$dir/serial 		# The current serial number
+		crlnumber	= \$dir/crlnumber	# the current crl number
+		crl		= \$dir/crl.pem 	# The current CRL
+		private_key	= \$dir/cakey.pem
+		x509_extensions	= usr_cert		# The extentions to add to the cert
+		name_opt 	= ca_default		# Subject Name options
+		cert_opt 	= ca_default		# Certificate field options
+		default_days	= 365			# how long to certify for
+		default_crl_days= 30			# how long before next CRL
+		default_md	= default		# use public key default MD
+		preserve	= no			# keep passed DN ordering
+		policy		= policy_anything
+		[ policy_anything ]
+		countryName		= optional
+		stateOrProvinceName	= optional
+		localityName		= optional
+		organizationName	= optional
+		organizationalUnitName	= optional
+		commonName		= supplied
+		emailAddress		= optional
+		[ req ]
+		default_bits		= 2048
+		default_keyfile 	= privkey.pem
+		distinguished_name	= req_distinguished_name
+		attributes		= req_attributes
+		x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+		string_mask = utf8only
+		prompt = no
+		[ req_distinguished_name ]
+		countryName			= XX
+		stateOrProvinceName		= Some-state
+		localityName			= Some-city
+		0.organizationName		= Some-org
+		CN				= $cnname
+		[ req_attributes ]
+		challengePassword		= foobar
+		unstructuredName		= An optional company name
+		[ usr_cert ]
+		basicConstraints=CA:FALSE
+		nsComment			= "OpenSSL Generated Certificate"
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid,issuer
+		[ v3_req ]
+		basicConstraints = CA:FALSE
+		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+		[ v3_ca ]
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid:always,issuer
+		basicConstraints = CA:true
+	OPENSSL_CNF
+
+	# though we use a password, the key is discarded and never used
+	openssl req -batch -passout pass:"$certpass" -new -x509 \
+	    -keyout cakey.pem -out cacert.pem -days 3650 \
+	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# make new certificate
+	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
+	    -out newreq.pem -days 365 -config openssl.cnf \
+	    -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# sign certificate
+	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
+	    -out tmp.pem >/dev/null 2>&1 &&
+	openssl ca -notext -config openssl.cnf \
+	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
+	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
+
+	mkdir -p "$CERTDIR" &&
+	chmod 0755 "$CERTDIR" &&
+	chmod 644 newcert.pem cacert.pem &&
+	chmod 600 newkey.pem &&
+	cp -p newcert.pem "$CERTDIR"/host.cert &&
+	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
+	cp -p newkey.pem "$CERTDIR"/host.key &&
+	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
+	    -in cacert.pem`.0)
+
+	retVal="$?"
+	rm -rf "$CAdir"
+
+	return "$retVal"
+}
+
 sendmail_precmd()
 {
 	# Die if there's pre-8.10 custom configuration file.  This check is
@@ -71,6 +185,17 @@ sendmail_precmd()
 				/usr/bin/newaliases
 		fi
 	fi
+
+	if checkyesno sendmail_cert_create && [ ! \( \
+	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
+	    -f "$CERTDIR/cacert.pem" \) ]; then
+		if ! openssl version >/dev/null 2>&1; then
+			warn "OpenSSL not available, but sendmail_cert_create is YES."
+		else
+			info Creating certificate for sendmail.
+			sendmail_cert_create
+		fi
+	fi
 }
 
 run_rc_command "$1"
diff --git a/etc/sendmail/freebsd.mc b/etc/sendmail/freebsd.mc
index 6d75636..7ab7386 100644
--- a/etc/sendmail/freebsd.mc
+++ b/etc/sendmail/freebsd.mc
@@ -42,6 +42,11 @@ divert(-1)
 #  /usr/share/sendmail/cf/README or
 #  /usr/src/contrib/sendmail/cf/README
 # 
+#
+#  NOTE: If you enable RunAsUser, make sure that you adjust the permissions
+#  and owner of the SSL certificates and keys in /etc/mail/certs to be usable
+#  by that user.
+#
 
 divert(0)
 VERSIONID(`$FreeBSD$')
@@ -54,6 +59,16 @@ FEATURE(local_lmtp)
 FEATURE(mailertable, `hash -o /etc/mail/mailertable')
 FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
 
+dnl Enable STARTTLS for receiving email.
+define(`CERT_DIR', `/etc/mail/certs')dnl
+define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
+define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
+define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
+define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
+define(`confCACERT', `CERT_DIR/cacert.pem')dnl
+define(`confCACERT_PATH', `CERT_DIR')dnl
+define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
+
 dnl Uncomment to allow relaying based on your MX records.
 dnl NOTE: This can allow sites to use your server as a backup MX without
 dnl       your permission.