f2730d1d65
Mostly comments but these tend to be user-visible. MFC after: 2 weeks
223 lines
6.2 KiB
Bash
Executable File
223 lines
6.2 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: mail
|
|
# REQUIRE: LOGIN FILESYSTEMS
|
|
# we make mail start late, so that things like .forward's are not
|
|
# processed until the system is fully operational
|
|
# KEYWORD: shutdown
|
|
|
|
# XXX - Get together with sendmail mantainer to figure out how to
|
|
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
|
|
#
|
|
. /etc/rc.subr
|
|
|
|
name="sendmail"
|
|
desc="Electronic mail transport agent"
|
|
rcvar="sendmail_enable"
|
|
required_files="/etc/mail/${name}.cf"
|
|
start_precmd="sendmail_precmd"
|
|
|
|
load_rc_config $name
|
|
command=${sendmail_program:-/usr/sbin/${name}}
|
|
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
|
|
procname=${sendmail_procname:-/usr/sbin/${name}}
|
|
|
|
CERTDIR=/etc/mail/certs
|
|
|
|
case ${sendmail_enable} in
|
|
[Nn][Oo][Nn][Ee])
|
|
sendmail_enable="NO"
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
sendmail_msp_queue_enable="NO"
|
|
;;
|
|
esac
|
|
|
|
# If sendmail_enable=yes, don't need submit or outbound daemon
|
|
if checkyesno sendmail_enable; then
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
# If sendmail_submit_enable=yes, don't need outbound daemon
|
|
if checkyesno sendmail_submit_enable; then
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
sendmail_cert_create()
|
|
{
|
|
cnname="${sendmail_cert_cn:-`hostname`}"
|
|
cnname="${cnname:-amnesiac}"
|
|
|
|
# based upon:
|
|
# http://www.sendmail.org/~ca/email/other/cagreg.html
|
|
CAdir=`mktemp -d` &&
|
|
certpass=`(date; ps ax ; hostname) | md5 -q`
|
|
|
|
# make certificate authority
|
|
( cd "$CAdir" &&
|
|
chmod 700 "$CAdir" &&
|
|
mkdir certs crl newcerts &&
|
|
echo "01" > serial &&
|
|
:> index.txt &&
|
|
|
|
cat <<-OPENSSL_CNF > openssl.cnf &&
|
|
RANDFILE = $CAdir/.rnd
|
|
[ ca ]
|
|
default_ca = CA_default
|
|
[ CA_default ]
|
|
dir = .
|
|
certs = \$dir/certs # Where the issued certs are kept
|
|
crl_dir = \$dir/crl # Where the issued crl are kept
|
|
database = \$dir/index.txt # database index file.
|
|
new_certs_dir = \$dir/newcerts # default place for new certs.
|
|
certificate = \$dir/cacert.pem # The CA certificate
|
|
serial = \$dir/serial # The current serial number
|
|
crlnumber = \$dir/crlnumber # the current crl number
|
|
crl = \$dir/crl.pem # The current CRL
|
|
private_key = \$dir/cakey.pem
|
|
x509_extensions = usr_cert # The extensions to add to the cert
|
|
name_opt = ca_default # Subject Name options
|
|
cert_opt = ca_default # Certificate field options
|
|
default_days = 365 # how long to certify for
|
|
default_crl_days= 30 # how long before next CRL
|
|
default_md = default # use public key default MD
|
|
preserve = no # keep passed DN ordering
|
|
policy = policy_anything
|
|
[ policy_anything ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = utf8only
|
|
prompt = no
|
|
[ req_distinguished_name ]
|
|
countryName = XX
|
|
stateOrProvinceName = Some-state
|
|
localityName = Some-city
|
|
0.organizationName = Some-org
|
|
CN = $cnname
|
|
[ req_attributes ]
|
|
challengePassword = foobar
|
|
unstructuredName = An optional company name
|
|
[ usr_cert ]
|
|
basicConstraints=CA:FALSE
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
[ v3_ca ]
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
basicConstraints = CA:true
|
|
OPENSSL_CNF
|
|
|
|
# though we use a password, the key is discarded and never used
|
|
openssl req -batch -passout pass:"$certpass" -new -x509 \
|
|
-keyout cakey.pem -out cacert.pem -days 3650 \
|
|
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# make new certificate
|
|
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
|
|
-out newreq.pem -days 365 -config openssl.cnf \
|
|
-newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# sign certificate
|
|
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
|
|
-out tmp.pem >/dev/null 2>&1 &&
|
|
openssl ca -notext -config openssl.cnf \
|
|
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
|
|
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
|
|
|
|
mkdir -p "$CERTDIR" &&
|
|
chmod 0755 "$CERTDIR" &&
|
|
chmod 644 newcert.pem cacert.pem &&
|
|
chmod 600 newkey.pem &&
|
|
cp -p newcert.pem "$CERTDIR"/host.cert &&
|
|
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
|
|
cp -p newkey.pem "$CERTDIR"/host.key &&
|
|
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
|
|
-in cacert.pem`.0)
|
|
|
|
retVal="$?"
|
|
rm -rf "$CAdir"
|
|
|
|
return "$retVal"
|
|
}
|
|
|
|
sendmail_precmd()
|
|
{
|
|
# Die if there's pre-8.10 custom configuration file. This check is
|
|
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
|
|
#
|
|
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
|
|
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
|
|
warn \
|
|
"${name} was not started; you have multiple copies of sendmail.cf."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
# check modifications on /etc/mail/aliases
|
|
if checkyesno sendmail_rebuild_aliases; then
|
|
if [ -f "/etc/mail/aliases.db" ]; then
|
|
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
|
|
echo \
|
|
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
else
|
|
echo \
|
|
"${name}: /etc/mail/aliases.db not present, generating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
fi
|
|
|
|
if checkyesno sendmail_cert_create && [ ! \( \
|
|
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
|
|
-f "$CERTDIR/cacert.pem" \) ]; then
|
|
if ! openssl version >/dev/null 2>&1; then
|
|
warn "OpenSSL not available, but sendmail_cert_create is YES."
|
|
else
|
|
info Creating certificate for sendmail.
|
|
sendmail_cert_create
|
|
fi
|
|
fi
|
|
}
|
|
|
|
run_rc_command "$1"
|
|
|
|
required_files=
|
|
|
|
if checkyesno sendmail_submit_enable; then
|
|
name="sendmail_submit"
|
|
rcvar="sendmail_submit_enable"
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
if checkyesno sendmail_outbound_enable; then
|
|
name="sendmail_outbound"
|
|
rcvar="sendmail_outbound_enable"
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
name="sendmail_msp_queue"
|
|
rcvar="sendmail_msp_queue_enable"
|
|
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
|
|
required_files="/etc/mail/submit.cf"
|
|
run_rc_command "$1"
|