178344Sobrien#!/bin/sh 278344Sobrien# 398184Sgordon# $FreeBSD$ 478344Sobrien# 578344Sobrien 678344Sobrien# PROVIDE: mail 7240336Sobrien# REQUIRE: LOGIN FILESYSTEMS 898184Sgordon# we make mail start late, so that things like .forward's are not 998184Sgordon# processed until the system is fully operational 10180564Sdougb# KEYWORD: shutdown 1178344Sobrien 1298184Sgordon# XXX - Get together with sendmail mantainer to figure out how to 1398184Sgordon# better handle SENDMAIL_ENABLE and 3rd party MTAs. 1498184Sgordon# 1578344Sobrien. /etc/rc.subr 1678344Sobrien 1778344Sobrienname="sendmail" 18230099Sdougbrcvar="sendmail_enable" 1978344Sobrienrequired_files="/etc/mail/${name}.cf" 20149606Sgshapirostart_precmd="sendmail_precmd" 21127896Sfjoe 22127896Sfjoeload_rc_config $name 23151809Syarcommand=${sendmail_program:-/usr/sbin/${name}} 24151809Syarpidfile=${sendmail_pidfile:-/var/run/${name}.pid} 25151809Syarprocname=${sendmail_procname:-/usr/sbin/${name}} 2678344Sobrien 27256982SjmgCERTDIR=/etc/mail/certs 28256982Sjmg 29124622Smtmcase ${sendmail_enable} in 30124622Smtm[Nn][Oo][Nn][Ee]) 31124622Smtm sendmail_enable="NO" 32124622Smtm sendmail_submit_enable="NO" 33124622Smtm sendmail_outbound_enable="NO" 34124622Smtm sendmail_msp_queue_enable="NO" 35102864Sgordon ;; 36102864Sgordonesac 37102864Sgordon 38133150Sgshapiro# If sendmail_enable=yes, don't need submit or outbound daemon 39133150Sgshapiroif checkyesno sendmail_enable; then 40133150Sgshapiro sendmail_submit_enable="NO" 41133150Sgshapiro sendmail_outbound_enable="NO" 42133150Sgshapirofi 43133150Sgshapiro 44133150Sgshapiro# If sendmail_submit_enable=yes, don't need outbound daemon 45133150Sgshapiroif checkyesno sendmail_submit_enable; then 46133150Sgshapiro sendmail_outbound_enable="NO" 47133150Sgshapirofi 48133150Sgshapiro 49256982Sjmgsendmail_cert_create() 50256982Sjmg{ 51256982Sjmg cnname="${sendmail_cert_cn:-`hostname`}" 52256982Sjmg cnname="${cnname:-amnesiac}" 53256982Sjmg 54256982Sjmg # based upon: 55256982Sjmg # http://www.sendmail.org/~ca/email/other/cagreg.html 56256982Sjmg CAdir=`mktemp -d` && 57256982Sjmg certpass=`(date; ps ax ; hostname) | md5 -q` 58256982Sjmg 59256982Sjmg # make certificate authority 60256982Sjmg ( cd "$CAdir" && 61256982Sjmg chmod 700 "$CAdir" && 62256982Sjmg mkdir certs crl newcerts && 63256982Sjmg echo "01" > serial && 64256982Sjmg :> index.txt && 65256982Sjmg 66256982Sjmg cat <<-OPENSSL_CNF > openssl.cnf && 67256982Sjmg RANDFILE = $CAdir/.rnd 68256982Sjmg [ ca ] 69256982Sjmg default_ca = CA_default 70256982Sjmg [ CA_default ] 71256982Sjmg dir = . 72256982Sjmg certs = \$dir/certs # Where the issued certs are kept 73256982Sjmg crl_dir = \$dir/crl # Where the issued crl are kept 74256982Sjmg database = \$dir/index.txt # database index file. 75256982Sjmg new_certs_dir = \$dir/newcerts # default place for new certs. 76256982Sjmg certificate = \$dir/cacert.pem # The CA certificate 77256982Sjmg serial = \$dir/serial # The current serial number 78256982Sjmg crlnumber = \$dir/crlnumber # the current crl number 79256982Sjmg crl = \$dir/crl.pem # The current CRL 80256982Sjmg private_key = \$dir/cakey.pem 81256982Sjmg x509_extensions = usr_cert # The extentions to add to the cert 82256982Sjmg name_opt = ca_default # Subject Name options 83256982Sjmg cert_opt = ca_default # Certificate field options 84256982Sjmg default_days = 365 # how long to certify for 85256982Sjmg default_crl_days= 30 # how long before next CRL 86256982Sjmg default_md = default # use public key default MD 87256982Sjmg preserve = no # keep passed DN ordering 88256982Sjmg policy = policy_anything 89256982Sjmg [ policy_anything ] 90256982Sjmg countryName = optional 91256982Sjmg stateOrProvinceName = optional 92256982Sjmg localityName = optional 93256982Sjmg organizationName = optional 94256982Sjmg organizationalUnitName = optional 95256982Sjmg commonName = supplied 96256982Sjmg emailAddress = optional 97256982Sjmg [ req ] 98256982Sjmg default_bits = 2048 99256982Sjmg default_keyfile = privkey.pem 100256982Sjmg distinguished_name = req_distinguished_name 101256982Sjmg attributes = req_attributes 102256982Sjmg x509_extensions = v3_ca # The extentions to add to the self signed cert 103256982Sjmg string_mask = utf8only 104256982Sjmg prompt = no 105256982Sjmg [ req_distinguished_name ] 106256982Sjmg countryName = XX 107256982Sjmg stateOrProvinceName = Some-state 108256982Sjmg localityName = Some-city 109256982Sjmg 0.organizationName = Some-org 110256982Sjmg CN = $cnname 111256982Sjmg [ req_attributes ] 112256982Sjmg challengePassword = foobar 113256982Sjmg unstructuredName = An optional company name 114256982Sjmg [ usr_cert ] 115256982Sjmg basicConstraints=CA:FALSE 116256982Sjmg nsComment = "OpenSSL Generated Certificate" 117256982Sjmg subjectKeyIdentifier=hash 118256982Sjmg authorityKeyIdentifier=keyid,issuer 119256982Sjmg [ v3_req ] 120256982Sjmg basicConstraints = CA:FALSE 121256982Sjmg keyUsage = nonRepudiation, digitalSignature, keyEncipherment 122256982Sjmg [ v3_ca ] 123256982Sjmg subjectKeyIdentifier=hash 124256982Sjmg authorityKeyIdentifier=keyid:always,issuer 125256982Sjmg basicConstraints = CA:true 126256982Sjmg OPENSSL_CNF 127256982Sjmg 128256982Sjmg # though we use a password, the key is discarded and never used 129256982Sjmg openssl req -batch -passout pass:"$certpass" -new -x509 \ 130256982Sjmg -keyout cakey.pem -out cacert.pem -days 3650 \ 131256982Sjmg -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 && 132256982Sjmg 133256982Sjmg # make new certificate 134256982Sjmg openssl req -batch -nodes -new -x509 -keyout newkey.pem \ 135256982Sjmg -out newreq.pem -days 365 -config openssl.cnf \ 136256982Sjmg -newkey rsa:2048 >/dev/null 2>&1 && 137256982Sjmg 138256982Sjmg # sign certificate 139256982Sjmg openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \ 140256982Sjmg -out tmp.pem >/dev/null 2>&1 && 141256982Sjmg openssl ca -notext -config openssl.cnf \ 142256982Sjmg -out newcert.pem -keyfile cakey.pem -cert cacert.pem \ 143256982Sjmg -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 && 144256982Sjmg 145256982Sjmg mkdir -p "$CERTDIR" && 146256982Sjmg chmod 0755 "$CERTDIR" && 147256982Sjmg chmod 644 newcert.pem cacert.pem && 148256982Sjmg chmod 600 newkey.pem && 149256982Sjmg cp -p newcert.pem "$CERTDIR"/host.cert && 150256982Sjmg cp -p cacert.pem "$CERTDIR"/cacert.pem && 151256982Sjmg cp -p newkey.pem "$CERTDIR"/host.key && 152256982Sjmg ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \ 153256982Sjmg -in cacert.pem`.0) 154256982Sjmg 155256982Sjmg retVal="$?" 156256982Sjmg rm -rf "$CAdir" 157256982Sjmg 158256982Sjmg return "$retVal" 159256982Sjmg} 160256982Sjmg 16178344Sobriensendmail_precmd() 16278344Sobrien{ 16378344Sobrien # Die if there's pre-8.10 custom configuration file. This check is 16478344Sobrien # mandatory for smooth upgrade. See NetBSD PR 10100 for details. 16578344Sobrien # 16698184Sgordon if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then 16778344Sobrien if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then 16878344Sobrien warn \ 16978344Sobrien "${name} was not started; you have multiple copies of sendmail.cf." 17078344Sobrien return 1 17178344Sobrien fi 17278344Sobrien fi 17378344Sobrien 17478344Sobrien # check modifications on /etc/mail/aliases 175170618Sgshapiro if checkyesno sendmail_rebuild_aliases; then 176170618Sgshapiro if [ -f "/etc/mail/aliases.db" ]; then 177170618Sgshapiro if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then 178170618Sgshapiro echo \ 179170618Sgshapiro "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating" 180170618Sgshapiro /usr/bin/newaliases 181170618Sgshapiro fi 182170618Sgshapiro else 18378344Sobrien echo \ 184170618Sgshapiro "${name}: /etc/mail/aliases.db not present, generating" 185170618Sgshapiro /usr/bin/newaliases 18678344Sobrien fi 18778344Sobrien fi 188256982Sjmg 189256982Sjmg if checkyesno sendmail_cert_create && [ ! \( \ 190256982Sjmg -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \ 191256982Sjmg -f "$CERTDIR/cacert.pem" \) ]; then 192256982Sjmg if ! openssl version >/dev/null 2>&1; then 193256982Sjmg warn "OpenSSL not available, but sendmail_cert_create is YES." 194256982Sjmg else 195256982Sjmg info Creating certificate for sendmail. 196256982Sjmg sendmail_cert_create 197256982Sjmg fi 198256982Sjmg fi 19978344Sobrien} 20078344Sobrien 20178344Sobrienrun_rc_command "$1" 20298184Sgordon 203124622Smtmrequired_files= 204104980Sschweikh 205128366Sfjoeif checkyesno sendmail_submit_enable; then 206124622Smtm name="sendmail_submit" 207230099Sdougb rcvar="sendmail_submit_enable" 208124622Smtm run_rc_command "$1" 209124622Smtmfi 21098184Sgordon 211128366Sfjoeif checkyesno sendmail_outbound_enable; then 212124622Smtm name="sendmail_outbound" 213230099Sdougb rcvar="sendmail_outbound_enable" 214124622Smtm run_rc_command "$1" 215124622Smtmfi 21698184Sgordon 217255654Shrsname="sendmail_msp_queue" 218124622Smtmrcvar="sendmail_msp_queue_enable" 219255654Shrspidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}" 220124622Smtmrequired_files="/etc/mail/submit.cf" 221124622Smtmrun_rc_command "$1" 222