#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: mail
# REQUIRE: LOGIN FILESYSTEMS
# we make mail start late, so that things like .forward's are not
# processed until the system is fully operational
# KEYWORD: shutdown
# XXX - Get together with sendmail mantainer to figure out how to
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
#
. /etc/rc.subr
name="sendmail"
desc="Electronic mail transport agent"
rcvar="sendmail_enable"
required_files="/etc/mail/${name}.cf"
start_precmd="sendmail_precmd"
load_rc_config $name
command=${sendmail_program:-/usr/sbin/${name}}
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
procname=${sendmail_procname:-/usr/sbin/${name}}
CERTDIR=/etc/mail/certs
case ${sendmail_enable} in
[Nn][Oo][Nn][Ee])
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
;;
esac
# If sendmail_enable=yes, don't need submit or outbound daemon
if checkyesno sendmail_enable; then
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
fi
# If sendmail_submit_enable=yes, don't need outbound daemon
if checkyesno sendmail_submit_enable; then
sendmail_outbound_enable="NO"
fi
sendmail_cert_create()
{
cnname="${sendmail_cert_cn:-`hostname`}"
cnname="${cnname:-amnesiac}"
# based upon:
# http://www.sendmail.org/~ca/email/other/cagreg.html
CAdir=`mktemp -d` &&
certpass=`(date; ps ax ; hostname) | md5 -q`
# make certificate authority
( cd "$CAdir" &&
chmod 700 "$CAdir" &&
mkdir certs crl newcerts &&
echo "01" > serial &&
:> index.txt &&
cat <<-OPENSSL_CNF > openssl.cnf &&
RANDFILE = $CAdir/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = \$dir/certs # Where the issued certs are kept
crl_dir = \$dir/crl # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir/newcerts # default place for new certs.
certificate = \$dir/cacert.pem # The CA certificate
serial = \$dir/serial # The current serial number
crlnumber = \$dir/crlnumber # the current crl number
crl = \$dir/crl.pem # The current CRL
private_key = \$dir/cakey.pem
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = Some-state
localityName = Some-city
0.organizationName = Some-org
CN = $cnname
[ req_attributes ]
challengePassword = foobar
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
OPENSSL_CNF
# though we use a password, the key is discarded and never used
openssl req -batch -passout pass:"$certpass" -new -x509 \
-keyout cakey.pem -out cacert.pem -days 3650 \
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
# make new certificate
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
-out newreq.pem -days 365 -config openssl.cnf \
-newkey rsa:2048 >/dev/null 2>&1 &&
# sign certificate
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
-out tmp.pem >/dev/null 2>&1 &&
openssl ca -notext -config openssl.cnf \
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
mkdir -p "$CERTDIR" &&
chmod 0755 "$CERTDIR" &&
chmod 644 newcert.pem cacert.pem &&
chmod 600 newkey.pem &&
cp -p newcert.pem "$CERTDIR"/host.cert &&
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
cp -p newkey.pem "$CERTDIR"/host.key &&
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
-in cacert.pem`.0)
retVal="$?"
rm -rf "$CAdir"
return "$retVal"
}
sendmail_precmd()
{
# Die if there's pre-8.10 custom configuration file. This check is
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
#
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
warn \
"${name} was not started; you have multiple copies of sendmail.cf."
return 1
fi
fi
# check modifications on /etc/mail/aliases
if checkyesno sendmail_rebuild_aliases; then
if [ -f "/etc/mail/aliases.db" ]; then
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
echo \
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
/usr/bin/newaliases
fi
else
echo \
"${name}: /etc/mail/aliases.db not present, generating"
/usr/bin/newaliases
fi
fi
if checkyesno sendmail_cert_create && [ ! \( \
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
-f "$CERTDIR/cacert.pem" \) ]; then
if ! openssl version >/dev/null 2>&1; then
warn "OpenSSL not available, but sendmail_cert_create is YES."
else
info Creating certificate for sendmail.
sendmail_cert_create
fi
fi
}
run_rc_command "$1"
required_files=
if checkyesno sendmail_submit_enable; then
name="sendmail_submit"
rcvar="sendmail_submit_enable"
_rc_restart_done=false
run_rc_command "$1"
fi
if checkyesno sendmail_outbound_enable; then
name="sendmail_outbound"
rcvar="sendmail_outbound_enable"
_rc_restart_done=false
run_rc_command "$1"
fi
name="sendmail_msp_queue"
rcvar="sendmail_msp_queue_enable"
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
required_files="/etc/mail/submit.cf"
_rc_restart_done=false
run_rc_command "$1"