freebsd-dev/etc/rc.d/sendmail
John-Mark Gurney ff14d523bb Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled.  Include and
document knobs to disable this feature and also set the Common Name of
the certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.
2013-10-19 18:51:06 +00:00

222 lines
6.2 KiB
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: mail
# REQUIRE: LOGIN FILESYSTEMS
# we make mail start late, so that things like .forward's are not
# processed until the system is fully operational
# KEYWORD: shutdown
# XXX - Get together with sendmail mantainer to figure out how to
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
#
. /etc/rc.subr
name="sendmail"
rcvar="sendmail_enable"
required_files="/etc/mail/${name}.cf"
start_precmd="sendmail_precmd"
load_rc_config $name
command=${sendmail_program:-/usr/sbin/${name}}
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
procname=${sendmail_procname:-/usr/sbin/${name}}
CERTDIR=/etc/mail/certs
case ${sendmail_enable} in
[Nn][Oo][Nn][Ee])
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
;;
esac
# If sendmail_enable=yes, don't need submit or outbound daemon
if checkyesno sendmail_enable; then
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
fi
# If sendmail_submit_enable=yes, don't need outbound daemon
if checkyesno sendmail_submit_enable; then
sendmail_outbound_enable="NO"
fi
sendmail_cert_create()
{
cnname="${sendmail_cert_cn:-`hostname`}"
cnname="${cnname:-amnesiac}"
# based upon:
# http://www.sendmail.org/~ca/email/other/cagreg.html
CAdir=`mktemp -d` &&
certpass=`(date; ps ax ; hostname) | md5 -q`
# make certificate authority
( cd "$CAdir" &&
chmod 700 "$CAdir" &&
mkdir certs crl newcerts &&
echo "01" > serial &&
:> index.txt &&
cat <<-OPENSSL_CNF > openssl.cnf &&
RANDFILE = $CAdir/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = \$dir/certs # Where the issued certs are kept
crl_dir = \$dir/crl # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir/newcerts # default place for new certs.
certificate = \$dir/cacert.pem # The CA certificate
serial = \$dir/serial # The current serial number
crlnumber = \$dir/crlnumber # the current crl number
crl = \$dir/crl.pem # The current CRL
private_key = \$dir/cakey.pem
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = Some-state
localityName = Some-city
0.organizationName = Some-org
CN = $cnname
[ req_attributes ]
challengePassword = foobar
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
OPENSSL_CNF
# though we use a password, the key is discarded and never used
openssl req -batch -passout pass:"$certpass" -new -x509 \
-keyout cakey.pem -out cacert.pem -days 3650 \
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
# make new certificate
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
-out newreq.pem -days 365 -config openssl.cnf \
-newkey rsa:2048 >/dev/null 2>&1 &&
# sign certificate
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
-out tmp.pem >/dev/null 2>&1 &&
openssl ca -notext -config openssl.cnf \
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
mkdir -p "$CERTDIR" &&
chmod 0755 "$CERTDIR" &&
chmod 644 newcert.pem cacert.pem &&
chmod 600 newkey.pem &&
cp -p newcert.pem "$CERTDIR"/host.cert &&
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
cp -p newkey.pem "$CERTDIR"/host.key &&
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
-in cacert.pem`.0)
retVal="$?"
rm -rf "$CAdir"
return "$retVal"
}
sendmail_precmd()
{
# Die if there's pre-8.10 custom configuration file. This check is
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
#
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
warn \
"${name} was not started; you have multiple copies of sendmail.cf."
return 1
fi
fi
# check modifications on /etc/mail/aliases
if checkyesno sendmail_rebuild_aliases; then
if [ -f "/etc/mail/aliases.db" ]; then
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
echo \
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
/usr/bin/newaliases
fi
else
echo \
"${name}: /etc/mail/aliases.db not present, generating"
/usr/bin/newaliases
fi
fi
if checkyesno sendmail_cert_create && [ ! \( \
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
-f "$CERTDIR/cacert.pem" \) ]; then
if ! openssl version >/dev/null 2>&1; then
warn "OpenSSL not available, but sendmail_cert_create is YES."
else
info Creating certificate for sendmail.
sendmail_cert_create
fi
fi
}
run_rc_command "$1"
required_files=
if checkyesno sendmail_submit_enable; then
name="sendmail_submit"
rcvar="sendmail_submit_enable"
run_rc_command "$1"
fi
if checkyesno sendmail_outbound_enable; then
name="sendmail_outbound"
rcvar="sendmail_outbound_enable"
run_rc_command "$1"
fi
name="sendmail_msp_queue"
rcvar="sendmail_msp_queue_enable"
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
required_files="/etc/mail/submit.cf"
run_rc_command "$1"