freebsd-skq/share/man/man8/rc.sendmail.8
John-Mark Gurney ff14d523bb Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled.  Include and
document knobs to disable this feature and also set the Common Name of
the certificate created.

As the certificate is signed w/ a discarded key, it only helps prevent
Eve, but not Malory from knowing the contents of the emails.

This means that new installs (and people that use the updated freebsd.mc
file) will automaticly have STARTTLS enabled allowing incoming email to
be encrypted in most cases.

Reviewed by:	gshapiro
MFC after:	3 days
Security:	Yes, please.
2013-10-19 18:51:06 +00:00

299 lines
6.8 KiB
Groff

.\" Copyright (c) 1995
.\" Jordan K. Hubbard
.\" Copyright (c) 2002 The FreeBSD Project
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd October 19, 2013
.Dt RC.SENDMAIL 8
.Os
.Sh NAME
.Nm rc.sendmail
.Nd
.Xr sendmail 8
startup script
.Sh DESCRIPTION
The
.Nm
script is used by
.Pa /etc/rc
at boot time to start
.Xr sendmail 8 .
It is meant to be
.Xr sendmail 8
specific and not a generic script for all MTAs.
It is only called by
.Pa /etc/rc
if the
.Xr rc.conf 5
.Va mta_start_script
variable is set to
.Pa /etc/rc.sendmail .
.Pp
The
.Nm
script can take an optional argument specifying the action to
perform.
The available actions are:
.Bl -tag -width ".Cm restart-mspq"
.It Cm start
Starts both the MTA and the MSP queue runner.
.It Cm stop
Stops both the MTA and the MSP queue runner.
.It Cm restart
Restarts both the MTA and the MSP queue runner.
.It Cm start-mta
Starts just the MTA.
.It Cm stop-mta
Stops just the MTA.
.It Cm restart-mta
Restarts just the MTA.
.It Cm start-mspq
Starts just the MSP queue runner.
.It Cm stop-mspq
Stops just the MSP queue runner.
.It Cm restart-mspq
Restarts just the MSP queue runner.
.El
.Pp
If no action is specified,
.Cm start
is assumed.
.Pp
The
.Nm
script is also used by
.Pa /etc/mail/Makefile
to enable the
.Pa Makefile Ns 's
.Cm start , stop ,
and
.Cm restart
targets.
.Sh RC.CONF VARIABLES
The following variables affect the behavior of
.Nm .
They are defined in
.Pa /etc/defaults/rc.conf
and can be changed in
.Pa /etc/rc.conf .
.Bl -tag -width indent
.It Va sendmail_enable
.Pq Vt str
If set to
.Dq Li YES ,
run the
.Xr sendmail 8
daemon at system boot time.
If set to
.Dq Li NO ,
do not run a
.Xr sendmail 8
daemon to listen for incoming network mail.
This does not preclude a
.Xr sendmail 8
daemon listening on the SMTP port of the loopback interface.
The
.Dq Li NONE
option is deprecated and should not be used.
It will be removed in a future release.
.It Va sendmail_cert_create
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li YES ,
create a signed certificate
.Pa /etc/mail/certs/host.cert
representing
.Pa /etc/mail/certs/host.key
by the CA certificate in
.Pa /etc/mail/certs/cacert.pem .
This will enable connecting hosts to negotiate STARTTLS allowing incoming
email to be encrypted in transit.
.Xr sendmail 8
needs to be configured to use these generated files.
The default configuration in
.Pa /etc/mail/freebsd.mc
has the required options in it.
.It Va sendmail_cert_cn
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li YES
and
.Va sendmail_cert_create
is set to
.Dq Li YES ,
this is the Common Name (CN) of the certificate that will be created.
If
.Va sendmail_cert_cn
is not set, the system's hostname will be used.
If there is no hostname set,
.Dq Li amnesiac
will be used.
.It Va sendmail_flags
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li YES ,
these are the flags to pass to the
.Xr sendmail 8
daemon.
.It Va sendmail_submit_enable
.Pq Vt bool
If set to
.Dq Li YES
and
.Va sendmail_enable
is set to
.Dq Li NO ,
run
.Xr sendmail 8
using
.Va sendmail_submit_flags
instead of
.Va sendmail_flags .
This is intended to allow local mail submission via
a localhost-only listening SMTP service required for running
.Xr sendmail 8
as a non-set-user-ID binary.
Note that this does not work inside
.Xr jail 2
systems, as jails do not allow binding to just the localhost interface.
.It Va sendmail_submit_flags
.Pq Vt str
If
.Va sendmail_enable
is set to
.Dq Li NO
and
.Va sendmail_submit_enable
is set to
.Dq Li YES ,
these are the flags to pass to the
.Xr sendmail 8
daemon.
.It Va sendmail_outbound_enable
.Pq Vt bool
If set to
.Dq Li YES
and both
.Va sendmail_enable
and
.Va sendmail_submit_enable
are set to
.Dq Li NO ,
run
.Xr sendmail 8
using
.Va sendmail_outbound_flags
instead of
.Va sendmail_flags .
This is intended to allow local mail queue management
for systems that do not offer a listening SMTP service.
.It Va sendmail_outbound_flags
.Pq Vt str
If both
.Va sendmail_enable
and
.Va sendmail_submit_enable
are set to
.Dq Li NO
and
.Va sendmail_outbound_enable
is set to
.Dq Li YES ,
these are the flags to pass to the
.Xr sendmail 8
daemon.
.It Va sendmail_msp_queue_enable
.Pq Vt bool
If set to
.Dq Li YES ,
start a client (MSP) queue runner
.Xr sendmail 8
daemon at system boot time.
As of sendmail 8.12, a separate queue is used for command line
submissions.
The client queue runner ensures that nothing is
left behind in the submission queue.
.It Va sendmail_msp_queue_flags
.Pq Vt str
If
.Va sendmail_msp_queue_enable
is set to
.Dq Li YES ,
these are the flags to pass to the
.Xr sendmail 8
daemon.
.El
.Pp
These variables are used to determine how the
.Xr sendmail 8
daemons are started:
.Bd -literal -offset indent
# MTA
if (${sendmail_enable} == NONE)
# Do nothing
else if (${sendmail_enable} == YES)
start sendmail with ${sendmail_flags}
else if (${sendmail_submit_enable} == YES)
start sendmail with ${sendmail_submit_flags}
else if (${sendmail_outbound_enable} == YES)
start sendmail with ${sendmail_outbound_flags}
endif
# MSP Queue Runner
if (${sendmail_enable} != NONE &&
[ -r /etc/mail/submit.cf] &&
${sendmail_msp_queue_enable} == YES)
start sendmail with ${sendmail_msp_queue_flags}
endif
.Ed
.Pp
To completely prevent any
.Xr sendmail 8
daemons from starting, you must
set the following variables in
.Pa /etc/rc.conf :
.Bd -literal -offset indent
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
.Ed
.Sh SEE ALSO
.Xr rc.conf 5 ,
.Xr rc 8 ,
.Xr sendmail 8
.Sh HISTORY
The
.Nm
file appeared in
.Fx 4.6 .