blob: 824709702649835e456f48990e5a5af263144c46 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: mail
# REQUIRE: LOGIN FILESYSTEMS
# we make mail start late, so that things like .forward's are not
# processed until the system is fully operational
# KEYWORD: shutdown
# XXX - Get together with sendmail mantainer to figure out how to
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
#
. /etc/rc.subr
name="sendmail"
rcvar="sendmail_enable"
required_files="/etc/mail/${name}.cf"
start_precmd="sendmail_precmd"
load_rc_config $name
command=${sendmail_program:-/usr/sbin/${name}}
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
procname=${sendmail_procname:-/usr/sbin/${name}}
CERTDIR=/etc/mail/certs
case ${sendmail_enable} in
[Nn][Oo][Nn][Ee])
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
;;
esac
# If sendmail_enable=yes, don't need submit or outbound daemon
if checkyesno sendmail_enable; then
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
fi
# If sendmail_submit_enable=yes, don't need outbound daemon
if checkyesno sendmail_submit_enable; then
sendmail_outbound_enable="NO"
fi
sendmail_cert_create()
{
cnname="${sendmail_cert_cn:-`hostname`}"
cnname="${cnname:-amnesiac}"
# based upon:
# http://www.sendmail.org/~ca/email/other/cagreg.html
CAdir=`mktemp -d` &&
certpass=`(date; ps ax ; hostname) | md5 -q`
# make certificate authority
( cd "$CAdir" &&
chmod 700 "$CAdir" &&
mkdir certs crl newcerts &&
echo "01" > serial &&
:> index.txt &&
cat <<-OPENSSL_CNF > openssl.cnf &&
RANDFILE = $CAdir/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = \$dir/certs # Where the issued certs are kept
crl_dir = \$dir/crl # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir/newcerts # default place for new certs.
certificate = \$dir/cacert.pem # The CA certificate
serial = \$dir/serial # The current serial number
crlnumber = \$dir/crlnumber # the current crl number
crl = \$dir/crl.pem # The current CRL
private_key = \$dir/cakey.pem
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = Some-state
localityName = Some-city
0.organizationName = Some-org
CN = $cnname
[ req_attributes ]
challengePassword = foobar
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
OPENSSL_CNF
# though we use a password, the key is discarded and never used
openssl req -batch -passout pass:"$certpass" -new -x509 \
-keyout cakey.pem -out cacert.pem -days 3650 \
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
# make new certificate
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
-out newreq.pem -days 365 -config openssl.cnf \
-newkey rsa:2048 >/dev/null 2>&1 &&
# sign certificate
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
-out tmp.pem >/dev/null 2>&1 &&
openssl ca -notext -config openssl.cnf \
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
mkdir -p "$CERTDIR" &&
chmod 0755 "$CERTDIR" &&
chmod 644 newcert.pem cacert.pem &&
chmod 600 newkey.pem &&
cp -p newcert.pem "$CERTDIR"/host.cert &&
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
cp -p newkey.pem "$CERTDIR"/host.key &&
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
-in cacert.pem`.0)
retVal="$?"
rm -rf "$CAdir"
return "$retVal"
}
sendmail_precmd()
{
# Die if there's pre-8.10 custom configuration file. This check is
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
#
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
warn \
"${name} was not started; you have multiple copies of sendmail.cf."
return 1
fi
fi
# check modifications on /etc/mail/aliases
if checkyesno sendmail_rebuild_aliases; then
if [ -f "/etc/mail/aliases.db" ]; then
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
echo \
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
/usr/bin/newaliases
fi
else
echo \
"${name}: /etc/mail/aliases.db not present, generating"
/usr/bin/newaliases
fi
fi
if checkyesno sendmail_cert_create && [ ! \( \
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
-f "$CERTDIR/cacert.pem" \) ]; then
if ! openssl version >/dev/null 2>&1; then
warn "OpenSSL not available, but sendmail_cert_create is YES."
else
info Creating certificate for sendmail.
sendmail_cert_create
fi
fi
}
run_rc_command "$1"
required_files=
if checkyesno sendmail_submit_enable; then
name="sendmail_submit"
rcvar="sendmail_submit_enable"
run_rc_command "$1"
fi
if checkyesno sendmail_outbound_enable; then
name="sendmail_outbound"
rcvar="sendmail_outbound_enable"
run_rc_command "$1"
fi
name="sendmail_msp_queue"
rcvar="sendmail_msp_queue_enable"
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
required_files="/etc/mail/submit.cf"
run_rc_command "$1"
|
