From a25e3add85ff606c3740e4c8346bc9cb1c13f7e3 Mon Sep 17 00:00:00 2001
From: jmg <jmg@FreeBSD.org>
Date: Sat, 19 Oct 2013 18:51:06 +0000
Subject: Enable the automatic creation of a certificate (if one does not
 exists) and enable the usage by sendmail if sendmail is enabled.  Include and
 document knobs to disable this feature and also set the Common Name of the
 certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.
---
 etc/defaults/rc.conf | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'etc/defaults')

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index d609bd8..b04d7cf 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -573,6 +573,8 @@ sendmail_enable="NO"	# Run the sendmail inbound daemon (YES/NO).
 sendmail_pidfile="/var/run/sendmail.pid"	# sendmail pid file
 sendmail_procname="/usr/sbin/sendmail"		# sendmail process name
 sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
+sendmail_cert_create="YES"	# Create a server certificate if none (YES/NO)
+#sendmail_cert_cn="CN"   	# CN of the generate certificate
 sendmail_submit_enable="YES"	# Start a localhost-only MTA for mail submission
 sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
 				# Flags for localhost-only MTA
-- 
cgit v1.1