Enable the automatic creation of a certificate (if one does not exists)

and enable the usage by sendmail if sendmail is enabled.  Include and
document knobs to disable this feature and also set the Common Name of
the certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.
This commit is contained in:
John-Mark Gurney 2013-10-19 18:51:06 +00:00
parent 9768475eb0
commit ff14d523bb
4 changed files with 179 additions and 1 deletions

View File

@ -573,6 +573,8 @@ sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
sendmail_cert_create="YES" # Create a server certificate if none (YES/NO)
#sendmail_cert_cn="CN" # CN of the generate certificate
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
# Flags for localhost-only MTA

View File

@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${name}}
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
procname=${sendmail_procname:-/usr/sbin/${name}}
CERTDIR=/etc/mail/certs
case ${sendmail_enable} in
[Nn][Oo][Nn][Ee])
sendmail_enable="NO"
@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; then
sendmail_outbound_enable="NO"
fi
sendmail_cert_create()
{
cnname="${sendmail_cert_cn:-`hostname`}"
cnname="${cnname:-amnesiac}"
# based upon:
# http://www.sendmail.org/~ca/email/other/cagreg.html
CAdir=`mktemp -d` &&
certpass=`(date; ps ax ; hostname) | md5 -q`
# make certificate authority
( cd "$CAdir" &&
chmod 700 "$CAdir" &&
mkdir certs crl newcerts &&
echo "01" > serial &&
:> index.txt &&
cat <<-OPENSSL_CNF > openssl.cnf &&
RANDFILE = $CAdir/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = \$dir/certs # Where the issued certs are kept
crl_dir = \$dir/crl # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir/newcerts # default place for new certs.
certificate = \$dir/cacert.pem # The CA certificate
serial = \$dir/serial # The current serial number
crlnumber = \$dir/crlnumber # the current crl number
crl = \$dir/crl.pem # The current CRL
private_key = \$dir/cakey.pem
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = Some-state
localityName = Some-city
0.organizationName = Some-org
CN = $cnname
[ req_attributes ]
challengePassword = foobar
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
OPENSSL_CNF
# though we use a password, the key is discarded and never used
openssl req -batch -passout pass:"$certpass" -new -x509 \
-keyout cakey.pem -out cacert.pem -days 3650 \
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
# make new certificate
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
-out newreq.pem -days 365 -config openssl.cnf \
-newkey rsa:2048 >/dev/null 2>&1 &&
# sign certificate
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
-out tmp.pem >/dev/null 2>&1 &&
openssl ca -notext -config openssl.cnf \
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
mkdir -p "$CERTDIR" &&
chmod 0755 "$CERTDIR" &&
chmod 644 newcert.pem cacert.pem &&
chmod 600 newkey.pem &&
cp -p newcert.pem "$CERTDIR"/host.cert &&
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
cp -p newkey.pem "$CERTDIR"/host.key &&
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
-in cacert.pem`.0)
retVal="$?"
rm -rf "$CAdir"
return "$retVal"
}
sendmail_precmd()
{
# Die if there's pre-8.10 custom configuration file. This check is
@ -71,6 +185,17 @@ sendmail_precmd()
/usr/bin/newaliases
fi
fi
if checkyesno sendmail_cert_create && [ ! \( \
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
-f "$CERTDIR/cacert.pem" \) ]; then
if ! openssl version >/dev/null 2>&1; then
warn "OpenSSL not available, but sendmail_cert_create is YES."
else
info Creating certificate for sendmail.
sendmail_cert_create
fi
fi
}
run_rc_command "$1"

View File

@ -42,6 +42,11 @@ divert(-1)
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
#
# NOTE: If you enable RunAsUser, make sure that you adjust the permissions
# and owner of the SSL certificates and keys in /etc/mail/certs to be usable
# by that user.
#
divert(0)
VERSIONID(`$FreeBSD$')
@ -54,6 +59,16 @@ FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.

View File

@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd March 30, 2002
.Dd October 19, 2013
.Dt RC.SENDMAIL 8
.Os
.Sh NAME
@ -119,6 +119,42 @@ The
.Dq Li NONE
option is deprecated and should not be used.
It will be removed in a future release.
.It Va sendmail_cert_create
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li YES ,
create a signed certificate
.Pa /etc/mail/certs/host.cert
representing
.Pa /etc/mail/certs/host.key
by the CA certificate in
.Pa /etc/mail/certs/cacert.pem .
This will enable connecting hosts to negotiate STARTTLS allowing incoming
email to be encrypted in transit.
.Xr sendmail 8
needs to be configured to use these generated files.
The default configuration in
.Pa /etc/mail/freebsd.mc
has the required options in it.
.It Va sendmail_cert_cn
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li YES
and
.Va sendmail_cert_create
is set to
.Dq Li YES ,
this is the Common Name (CN) of the certificate that will be created.
If
.Va sendmail_cert_cn
is not set, the system's hostname will be used.
If there is no hostname set,
.Dq Li amnesiac
will be used.
.It Va sendmail_flags
.Pq Vt str
If