Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled. Include and document knobs to disable this feature and also set the Common Name of the certificate created. As the certificate is signed w/ a discarded key, it only helps prevent Eve, but not Malory from knowing the contents of the emails. This means that new installs (and people that use the updated freebsd.mc file) will automaticly have STARTTLS enabled allowing incoming email to be encrypted in most cases. Reviewed by: gshapiro MFC after: 3 days Security: Yes, please.
This commit is contained in:
parent
1a884d59cf
commit
a25e3add85
@ -573,6 +573,8 @@ sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
|
|||||||
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
|
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
|
||||||
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
|
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
|
||||||
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
|
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
|
||||||
|
sendmail_cert_create="YES" # Create a server certificate if none (YES/NO)
|
||||||
|
#sendmail_cert_cn="CN" # CN of the generate certificate
|
||||||
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
|
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
|
||||||
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
|
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
|
||||||
# Flags for localhost-only MTA
|
# Flags for localhost-only MTA
|
||||||
|
@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${name}}
|
|||||||
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
|
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
|
||||||
procname=${sendmail_procname:-/usr/sbin/${name}}
|
procname=${sendmail_procname:-/usr/sbin/${name}}
|
||||||
|
|
||||||
|
CERTDIR=/etc/mail/certs
|
||||||
|
|
||||||
case ${sendmail_enable} in
|
case ${sendmail_enable} in
|
||||||
[Nn][Oo][Nn][Ee])
|
[Nn][Oo][Nn][Ee])
|
||||||
sendmail_enable="NO"
|
sendmail_enable="NO"
|
||||||
@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; then
|
|||||||
sendmail_outbound_enable="NO"
|
sendmail_outbound_enable="NO"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
sendmail_cert_create()
|
||||||
|
{
|
||||||
|
cnname="${sendmail_cert_cn:-`hostname`}"
|
||||||
|
cnname="${cnname:-amnesiac}"
|
||||||
|
|
||||||
|
# based upon:
|
||||||
|
# http://www.sendmail.org/~ca/email/other/cagreg.html
|
||||||
|
CAdir=`mktemp -d` &&
|
||||||
|
certpass=`(date; ps ax ; hostname) | md5 -q`
|
||||||
|
|
||||||
|
# make certificate authority
|
||||||
|
( cd "$CAdir" &&
|
||||||
|
chmod 700 "$CAdir" &&
|
||||||
|
mkdir certs crl newcerts &&
|
||||||
|
echo "01" > serial &&
|
||||||
|
:> index.txt &&
|
||||||
|
|
||||||
|
cat <<-OPENSSL_CNF > openssl.cnf &&
|
||||||
|
RANDFILE = $CAdir/.rnd
|
||||||
|
[ ca ]
|
||||||
|
default_ca = CA_default
|
||||||
|
[ CA_default ]
|
||||||
|
dir = .
|
||||||
|
certs = \$dir/certs # Where the issued certs are kept
|
||||||
|
crl_dir = \$dir/crl # Where the issued crl are kept
|
||||||
|
database = \$dir/index.txt # database index file.
|
||||||
|
new_certs_dir = \$dir/newcerts # default place for new certs.
|
||||||
|
certificate = \$dir/cacert.pem # The CA certificate
|
||||||
|
serial = \$dir/serial # The current serial number
|
||||||
|
crlnumber = \$dir/crlnumber # the current crl number
|
||||||
|
crl = \$dir/crl.pem # The current CRL
|
||||||
|
private_key = \$dir/cakey.pem
|
||||||
|
x509_extensions = usr_cert # The extentions to add to the cert
|
||||||
|
name_opt = ca_default # Subject Name options
|
||||||
|
cert_opt = ca_default # Certificate field options
|
||||||
|
default_days = 365 # how long to certify for
|
||||||
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
default_md = default # use public key default MD
|
||||||
|
preserve = no # keep passed DN ordering
|
||||||
|
policy = policy_anything
|
||||||
|
[ policy_anything ]
|
||||||
|
countryName = optional
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
localityName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
attributes = req_attributes
|
||||||
|
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||||
|
string_mask = utf8only
|
||||||
|
prompt = no
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = XX
|
||||||
|
stateOrProvinceName = Some-state
|
||||||
|
localityName = Some-city
|
||||||
|
0.organizationName = Some-org
|
||||||
|
CN = $cnname
|
||||||
|
[ req_attributes ]
|
||||||
|
challengePassword = foobar
|
||||||
|
unstructuredName = An optional company name
|
||||||
|
[ usr_cert ]
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
nsComment = "OpenSSL Generated Certificate"
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
[ v3_req ]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
[ v3_ca ]
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid:always,issuer
|
||||||
|
basicConstraints = CA:true
|
||||||
|
OPENSSL_CNF
|
||||||
|
|
||||||
|
# though we use a password, the key is discarded and never used
|
||||||
|
openssl req -batch -passout pass:"$certpass" -new -x509 \
|
||||||
|
-keyout cakey.pem -out cacert.pem -days 3650 \
|
||||||
|
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
|
||||||
|
|
||||||
|
# make new certificate
|
||||||
|
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
|
||||||
|
-out newreq.pem -days 365 -config openssl.cnf \
|
||||||
|
-newkey rsa:2048 >/dev/null 2>&1 &&
|
||||||
|
|
||||||
|
# sign certificate
|
||||||
|
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
|
||||||
|
-out tmp.pem >/dev/null 2>&1 &&
|
||||||
|
openssl ca -notext -config openssl.cnf \
|
||||||
|
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
|
||||||
|
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
|
||||||
|
|
||||||
|
mkdir -p "$CERTDIR" &&
|
||||||
|
chmod 0755 "$CERTDIR" &&
|
||||||
|
chmod 644 newcert.pem cacert.pem &&
|
||||||
|
chmod 600 newkey.pem &&
|
||||||
|
cp -p newcert.pem "$CERTDIR"/host.cert &&
|
||||||
|
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
|
||||||
|
cp -p newkey.pem "$CERTDIR"/host.key &&
|
||||||
|
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
|
||||||
|
-in cacert.pem`.0)
|
||||||
|
|
||||||
|
retVal="$?"
|
||||||
|
rm -rf "$CAdir"
|
||||||
|
|
||||||
|
return "$retVal"
|
||||||
|
}
|
||||||
|
|
||||||
sendmail_precmd()
|
sendmail_precmd()
|
||||||
{
|
{
|
||||||
# Die if there's pre-8.10 custom configuration file. This check is
|
# Die if there's pre-8.10 custom configuration file. This check is
|
||||||
@ -71,6 +185,17 @@ sendmail_precmd()
|
|||||||
/usr/bin/newaliases
|
/usr/bin/newaliases
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if checkyesno sendmail_cert_create && [ ! \( \
|
||||||
|
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
|
||||||
|
-f "$CERTDIR/cacert.pem" \) ]; then
|
||||||
|
if ! openssl version >/dev/null 2>&1; then
|
||||||
|
warn "OpenSSL not available, but sendmail_cert_create is YES."
|
||||||
|
else
|
||||||
|
info Creating certificate for sendmail.
|
||||||
|
sendmail_cert_create
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
run_rc_command "$1"
|
run_rc_command "$1"
|
||||||
|
@ -42,6 +42,11 @@ divert(-1)
|
|||||||
# /usr/share/sendmail/cf/README or
|
# /usr/share/sendmail/cf/README or
|
||||||
# /usr/src/contrib/sendmail/cf/README
|
# /usr/src/contrib/sendmail/cf/README
|
||||||
#
|
#
|
||||||
|
#
|
||||||
|
# NOTE: If you enable RunAsUser, make sure that you adjust the permissions
|
||||||
|
# and owner of the SSL certificates and keys in /etc/mail/certs to be usable
|
||||||
|
# by that user.
|
||||||
|
#
|
||||||
|
|
||||||
divert(0)
|
divert(0)
|
||||||
VERSIONID(`$FreeBSD$')
|
VERSIONID(`$FreeBSD$')
|
||||||
@ -54,6 +59,16 @@ FEATURE(local_lmtp)
|
|||||||
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
|
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
|
||||||
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
|
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
|
||||||
|
|
||||||
|
dnl Enable STARTTLS for receiving email.
|
||||||
|
define(`CERT_DIR', `/etc/mail/certs')dnl
|
||||||
|
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
|
||||||
|
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
|
||||||
|
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
|
||||||
|
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
|
||||||
|
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
|
||||||
|
define(`confCACERT_PATH', `CERT_DIR')dnl
|
||||||
|
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
|
||||||
|
|
||||||
dnl Uncomment to allow relaying based on your MX records.
|
dnl Uncomment to allow relaying based on your MX records.
|
||||||
dnl NOTE: This can allow sites to use your server as a backup MX without
|
dnl NOTE: This can allow sites to use your server as a backup MX without
|
||||||
dnl your permission.
|
dnl your permission.
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd March 30, 2002
|
.Dd October 19, 2013
|
||||||
.Dt RC.SENDMAIL 8
|
.Dt RC.SENDMAIL 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -119,6 +119,42 @@ The
|
|||||||
.Dq Li NONE
|
.Dq Li NONE
|
||||||
option is deprecated and should not be used.
|
option is deprecated and should not be used.
|
||||||
It will be removed in a future release.
|
It will be removed in a future release.
|
||||||
|
.It Va sendmail_cert_create
|
||||||
|
.Pq Vt str
|
||||||
|
If
|
||||||
|
.Va sendmail_enable
|
||||||
|
is set to
|
||||||
|
.Dq Li YES ,
|
||||||
|
create a signed certificate
|
||||||
|
.Pa /etc/mail/certs/host.cert
|
||||||
|
representing
|
||||||
|
.Pa /etc/mail/certs/host.key
|
||||||
|
by the CA certificate in
|
||||||
|
.Pa /etc/mail/certs/cacert.pem .
|
||||||
|
This will enable connecting hosts to negotiate STARTTLS allowing incoming
|
||||||
|
email to be encrypted in transit.
|
||||||
|
.Xr sendmail 8
|
||||||
|
needs to be configured to use these generated files.
|
||||||
|
The default configuration in
|
||||||
|
.Pa /etc/mail/freebsd.mc
|
||||||
|
has the required options in it.
|
||||||
|
.It Va sendmail_cert_cn
|
||||||
|
.Pq Vt str
|
||||||
|
If
|
||||||
|
.Va sendmail_enable
|
||||||
|
is set to
|
||||||
|
.Dq Li YES
|
||||||
|
and
|
||||||
|
.Va sendmail_cert_create
|
||||||
|
is set to
|
||||||
|
.Dq Li YES ,
|
||||||
|
this is the Common Name (CN) of the certificate that will be created.
|
||||||
|
If
|
||||||
|
.Va sendmail_cert_cn
|
||||||
|
is not set, the system's hostname will be used.
|
||||||
|
If there is no hostname set,
|
||||||
|
.Dq Li amnesiac
|
||||||
|
will be used.
|
||||||
.It Va sendmail_flags
|
.It Va sendmail_flags
|
||||||
.Pq Vt str
|
.Pq Vt str
|
||||||
If
|
If
|
||||||
|
Loading…
Reference in New Issue
Block a user