Enable the automatic creation of a certificate (if one does not exists)

and enable the usage by sendmail if sendmail is enabled.  Include and
document knobs to disable this feature and also set the Common Name of
the certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.

etc/defaults/rc.conf

@@ -573,6 +573,8 @@ sendmail_enable="NO"	# Run the sendmail inbound daemon (YES/NO).
 sendmail_pidfile="/var/run/sendmail.pid"	# sendmail pid file
 sendmail_procname="/usr/sbin/sendmail"		# sendmail process name
 sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
+sendmail_cert_create="YES"	# Create a server certificate if none (YES/NO)
+#sendmail_cert_cn="CN"   	# CN of the generate certificate
 sendmail_submit_enable="YES"	# Start a localhost-only MTA for mail submission
 sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
 				# Flags for localhost-only MTA

etc/rc.d/sendmail

@@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${name}}
 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
 procname=${sendmail_procname:-/usr/sbin/${name}}
 
+CERTDIR=/etc/mail/certs
+
 case ${sendmail_enable} in
 [Nn][Oo][Nn][Ee])
 	sendmail_enable="NO"
@@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; then
 	sendmail_outbound_enable="NO"
 fi
 
+sendmail_cert_create()
+{
+	cnname="${sendmail_cert_cn:-`hostname`}"
+	cnname="${cnname:-amnesiac}"
+
+	# based upon:
+	# http://www.sendmail.org/~ca/email/other/cagreg.html
+	CAdir=`mktemp -d` &&
+	certpass=`(date; ps ax ; hostname) | md5 -q`
+
+	# make certificate authority
+	( cd "$CAdir" &&
+	chmod 700 "$CAdir" &&
+	mkdir certs crl newcerts &&
+	echo "01" > serial &&
+	:> index.txt &&
+
+	cat <<-OPENSSL_CNF > openssl.cnf &&
+		RANDFILE	= $CAdir/.rnd
+		[ ca ]
+		default_ca	= CA_default
+		[ CA_default ]
+		dir		= .
+		certs		= \$dir/certs		# Where the issued certs are kept
+		crl_dir		= \$dir/crl		# Where the issued crl are kept
+		database	= \$dir/index.txt	# database index file.
+		new_certs_dir	= \$dir/newcerts	# default place for new certs.
+		certificate	= \$dir/cacert.pem 	# The CA certificate
+		serial		= \$dir/serial 		# The current serial number
+		crlnumber	= \$dir/crlnumber	# the current crl number
+		crl		= \$dir/crl.pem 	# The current CRL
+		private_key	= \$dir/cakey.pem
+		x509_extensions	= usr_cert		# The extentions to add to the cert
+		name_opt 	= ca_default		# Subject Name options
+		cert_opt 	= ca_default		# Certificate field options
+		default_days	= 365			# how long to certify for
+		default_crl_days= 30			# how long before next CRL
+		default_md	= default		# use public key default MD
+		preserve	= no			# keep passed DN ordering
+		policy		= policy_anything
+		[ policy_anything ]
+		countryName		= optional
+		stateOrProvinceName	= optional
+		localityName		= optional
+		organizationName	= optional
+		organizationalUnitName	= optional
+		commonName		= supplied
+		emailAddress		= optional
+		[ req ]
+		default_bits		= 2048
+		default_keyfile 	= privkey.pem
+		distinguished_name	= req_distinguished_name
+		attributes		= req_attributes
+		x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+		string_mask = utf8only
+		prompt = no
+		[ req_distinguished_name ]
+		countryName			= XX
+		stateOrProvinceName		= Some-state
+		localityName			= Some-city
+		0.organizationName		= Some-org
+		CN				= $cnname
+		[ req_attributes ]
+		challengePassword		= foobar
+		unstructuredName		= An optional company name
+		[ usr_cert ]
+		basicConstraints=CA:FALSE
+		nsComment			= "OpenSSL Generated Certificate"
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid,issuer
+		[ v3_req ]
+		basicConstraints = CA:FALSE
+		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+		[ v3_ca ]
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid:always,issuer
+		basicConstraints = CA:true
+	OPENSSL_CNF
+
+	# though we use a password, the key is discarded and never used
+	openssl req -batch -passout pass:"$certpass" -new -x509 \
+	    -keyout cakey.pem -out cacert.pem -days 3650 \
+	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# make new certificate
+	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
+	    -out newreq.pem -days 365 -config openssl.cnf \
+	    -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# sign certificate
+	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
+	    -out tmp.pem >/dev/null 2>&1 &&
+	openssl ca -notext -config openssl.cnf \
+	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
+	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
+
+	mkdir -p "$CERTDIR" &&
+	chmod 0755 "$CERTDIR" &&
+	chmod 644 newcert.pem cacert.pem &&
+	chmod 600 newkey.pem &&
+	cp -p newcert.pem "$CERTDIR"/host.cert &&
+	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
+	cp -p newkey.pem "$CERTDIR"/host.key &&
+	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
+	    -in cacert.pem`.0)
+
+	retVal="$?"
+	rm -rf "$CAdir"
+
+	return "$retVal"
+}
+
 sendmail_precmd()
 {
 	# Die if there's pre-8.10 custom configuration file.  This check is
@@ -71,6 +185,17 @@ sendmail_precmd()
 				/usr/bin/newaliases
 		fi
 	fi
+
+	if checkyesno sendmail_cert_create && [ ! \( \
+	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
+	    -f "$CERTDIR/cacert.pem" \) ]; then
+		if ! openssl version >/dev/null 2>&1; then
+			warn "OpenSSL not available, but sendmail_cert_create is YES."
+		else
+			info Creating certificate for sendmail.
+			sendmail_cert_create
+		fi
+	fi
 }
 
 run_rc_command "$1"

etc/sendmail/freebsd.mc

@@ -42,6 +42,11 @@ divert(-1)
 #  /usr/share/sendmail/cf/README or
 #  /usr/src/contrib/sendmail/cf/README
 # 
+#
+#  NOTE: If you enable RunAsUser, make sure that you adjust the permissions
+#  and owner of the SSL certificates and keys in /etc/mail/certs to be usable
+#  by that user.
+#
 
 divert(0)
 VERSIONID(`$FreeBSD$')
@@ -54,6 +59,16 @@ FEATURE(local_lmtp)
 FEATURE(mailertable, `hash -o /etc/mail/mailertable')
 FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
 
+dnl Enable STARTTLS for receiving email.
+define(`CERT_DIR', `/etc/mail/certs')dnl
+define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
+define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
+define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
+define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
+define(`confCACERT', `CERT_DIR/cacert.pem')dnl
+define(`confCACERT_PATH', `CERT_DIR')dnl
+define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
+
 dnl Uncomment to allow relaying based on your MX records.
 dnl NOTE: This can allow sites to use your server as a backup MX without
 dnl       your permission.

share/man/man8/rc.sendmail.8

@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 30, 2002
+.Dd October 19, 2013
 .Dt RC.SENDMAIL 8
 .Os
 .Sh NAME
@@ -119,6 +119,42 @@ The
 .Dq Li NONE
 option is deprecated and should not be used.
 It will be removed in a future release.
+.It Va sendmail_cert_create
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES ,
+create a signed certificate
+.Pa /etc/mail/certs/host.cert
+representing
+.Pa /etc/mail/certs/host.key
+by the CA certificate in
+.Pa /etc/mail/certs/cacert.pem .
+This will enable connecting hosts to negotiate STARTTLS allowing incoming
+email to be encrypted in transit.
+.Xr sendmail 8
+needs to be configured to use these generated files.
+The default configuration in
+.Pa /etc/mail/freebsd.mc
+has the required options in it.
+.It Va sendmail_cert_cn
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES
+and
+.Va sendmail_cert_create
+is set to
+.Dq Li YES ,
+this is the Common Name (CN) of the certificate that will be created.
+If
+.Va sendmail_cert_cn
+is not set, the system's hostname will be used.
+If there is no hostname set,
+.Dq Li amnesiac
+will be used.
 .It Va sendmail_flags
 .Pq Vt str
 If