Enable the automatic creation of a certificate (if one does not exists)

and enable the usage by sendmail if sendmail is enabled.  Include and
document knobs to disable this feature and also set the Common Name of
the certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.

1 files changed, 37 insertions, 1 deletions

diff --git a/share/man/man8/rc.sendmail.8 b/share/man/man8/rc.sendmail.8
index 14a30e4..d8dff43 100644
--- a/share/man/man8/rc.sendmail.8
+++ b/share/man/man8/rc.sendmail.8
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 30, 2002
+.Dd October 19, 2013
 .Dt RC.SENDMAIL 8
 .Os
 .Sh NAME
@@ -119,6 +119,42 @@ The
 .Dq Li NONE
 option is deprecated and should not be used.
 It will be removed in a future release.
+.It Va sendmail_cert_create
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES ,
+create a signed certificate
+.Pa /etc/mail/certs/host.cert
+representing
+.Pa /etc/mail/certs/host.key
+by the CA certificate in
+.Pa /etc/mail/certs/cacert.pem .
+This will enable connecting hosts to negotiate STARTTLS allowing incoming
+email to be encrypted in transit.
+.Xr sendmail 8
+needs to be configured to use these generated files.
+The default configuration in
+.Pa /etc/mail/freebsd.mc
+has the required options in it.
+.It Va sendmail_cert_cn
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES
+and
+.Va sendmail_cert_create
+is set to
+.Dq Li YES ,
+this is the Common Name (CN) of the certificate that will be created.
+If
+.Va sendmail_cert_cn
+is not set, the system's hostname will be used.
+If there is no hostname set,
+.Dq Li amnesiac
+will be used.
 .It Va sendmail_flags
 .Pq Vt str
 If