sendmail revision 330321
1#!/bin/sh 2# 3# $FreeBSD: stable/11/etc/rc.d/sendmail 330321 2018-03-03 10:32:00Z eadler $ 4# 5 6# PROVIDE: mail 7# REQUIRE: LOGIN FILESYSTEMS 8# we make mail start late, so that things like .forward's are not 9# processed until the system is fully operational 10# KEYWORD: shutdown 11 12# XXX - Get together with sendmail mantainer to figure out how to 13# better handle SENDMAIL_ENABLE and 3rd party MTAs. 14# 15. /etc/rc.subr 16 17name="sendmail" 18desc="Electronic mail transport agent" 19rcvar="sendmail_enable" 20required_files="/etc/mail/${name}.cf" 21start_precmd="sendmail_precmd" 22 23load_rc_config $name 24command=${sendmail_program:-/usr/sbin/${name}} 25pidfile=${sendmail_pidfile:-/var/run/${name}.pid} 26procname=${sendmail_procname:-/usr/sbin/${name}} 27 28CERTDIR=/etc/mail/certs 29 30case ${sendmail_enable} in 31[Nn][Oo][Nn][Ee]) 32 sendmail_enable="NO" 33 sendmail_submit_enable="NO" 34 sendmail_outbound_enable="NO" 35 sendmail_msp_queue_enable="NO" 36 ;; 37esac 38 39# If sendmail_enable=yes, don't need submit or outbound daemon 40if checkyesno sendmail_enable; then 41 sendmail_submit_enable="NO" 42 sendmail_outbound_enable="NO" 43fi 44 45# If sendmail_submit_enable=yes, don't need outbound daemon 46if checkyesno sendmail_submit_enable; then 47 sendmail_outbound_enable="NO" 48fi 49 50sendmail_cert_create() 51{ 52 cnname="${sendmail_cert_cn:-`hostname`}" 53 cnname="${cnname:-amnesiac}" 54 55 # based upon: 56 # http://www.sendmail.org/~ca/email/other/cagreg.html 57 CAdir=`mktemp -d` && 58 certpass=`(date; ps ax ; hostname) | md5 -q` 59 60 # make certificate authority 61 ( cd "$CAdir" && 62 chmod 700 "$CAdir" && 63 mkdir certs crl newcerts && 64 echo "01" > serial && 65 :> index.txt && 66 67 cat <<-OPENSSL_CNF > openssl.cnf && 68 RANDFILE = $CAdir/.rnd 69 [ ca ] 70 default_ca = CA_default 71 [ CA_default ] 72 dir = . 73 certs = \$dir/certs # Where the issued certs are kept 74 crl_dir = \$dir/crl # Where the issued crl are kept 75 database = \$dir/index.txt # database index file. 76 new_certs_dir = \$dir/newcerts # default place for new certs. 77 certificate = \$dir/cacert.pem # The CA certificate 78 serial = \$dir/serial # The current serial number 79 crlnumber = \$dir/crlnumber # the current crl number 80 crl = \$dir/crl.pem # The current CRL 81 private_key = \$dir/cakey.pem 82 x509_extensions = usr_cert # The extensions to add to the cert 83 name_opt = ca_default # Subject Name options 84 cert_opt = ca_default # Certificate field options 85 default_days = 365 # how long to certify for 86 default_crl_days= 30 # how long before next CRL 87 default_md = default # use public key default MD 88 preserve = no # keep passed DN ordering 89 policy = policy_anything 90 [ policy_anything ] 91 countryName = optional 92 stateOrProvinceName = optional 93 localityName = optional 94 organizationName = optional 95 organizationalUnitName = optional 96 commonName = supplied 97 emailAddress = optional 98 [ req ] 99 default_bits = 2048 100 default_keyfile = privkey.pem 101 distinguished_name = req_distinguished_name 102 attributes = req_attributes 103 x509_extensions = v3_ca # The extensions to add to the self signed cert 104 string_mask = utf8only 105 prompt = no 106 [ req_distinguished_name ] 107 countryName = XX 108 stateOrProvinceName = Some-state 109 localityName = Some-city 110 0.organizationName = Some-org 111 CN = $cnname 112 [ req_attributes ] 113 challengePassword = foobar 114 unstructuredName = An optional company name 115 [ usr_cert ] 116 basicConstraints=CA:FALSE 117 nsComment = "OpenSSL Generated Certificate" 118 subjectKeyIdentifier=hash 119 authorityKeyIdentifier=keyid,issuer 120 [ v3_req ] 121 basicConstraints = CA:FALSE 122 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 123 [ v3_ca ] 124 subjectKeyIdentifier=hash 125 authorityKeyIdentifier=keyid:always,issuer 126 basicConstraints = CA:true 127 OPENSSL_CNF 128 129 # though we use a password, the key is discarded and never used 130 openssl req -batch -passout pass:"$certpass" -new -x509 \ 131 -keyout cakey.pem -out cacert.pem -days 3650 \ 132 -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 && 133 134 # make new certificate 135 openssl req -batch -nodes -new -x509 -keyout newkey.pem \ 136 -out newreq.pem -days 365 -config openssl.cnf \ 137 -newkey rsa:2048 >/dev/null 2>&1 && 138 139 # sign certificate 140 openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \ 141 -out tmp.pem >/dev/null 2>&1 && 142 openssl ca -notext -config openssl.cnf \ 143 -out newcert.pem -keyfile cakey.pem -cert cacert.pem \ 144 -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 && 145 146 mkdir -p "$CERTDIR" && 147 chmod 0755 "$CERTDIR" && 148 chmod 644 newcert.pem cacert.pem && 149 chmod 600 newkey.pem && 150 cp -p newcert.pem "$CERTDIR"/host.cert && 151 cp -p cacert.pem "$CERTDIR"/cacert.pem && 152 cp -p newkey.pem "$CERTDIR"/host.key && 153 ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \ 154 -in cacert.pem`.0) 155 156 retVal="$?" 157 rm -rf "$CAdir" 158 159 return "$retVal" 160} 161 162sendmail_precmd() 163{ 164 # Die if there's pre-8.10 custom configuration file. This check is 165 # mandatory for smooth upgrade. See NetBSD PR 10100 for details. 166 # 167 if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then 168 if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then 169 warn \ 170 "${name} was not started; you have multiple copies of sendmail.cf." 171 return 1 172 fi 173 fi 174 175 # check modifications on /etc/mail/aliases 176 if checkyesno sendmail_rebuild_aliases; then 177 if [ -f "/etc/mail/aliases.db" ]; then 178 if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then 179 echo \ 180 "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating" 181 /usr/bin/newaliases 182 fi 183 else 184 echo \ 185 "${name}: /etc/mail/aliases.db not present, generating" 186 /usr/bin/newaliases 187 fi 188 fi 189 190 if checkyesno sendmail_cert_create && [ ! \( \ 191 -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \ 192 -f "$CERTDIR/cacert.pem" \) ]; then 193 if ! openssl version >/dev/null 2>&1; then 194 warn "OpenSSL not available, but sendmail_cert_create is YES." 195 else 196 info Creating certificate for sendmail. 197 sendmail_cert_create 198 fi 199 fi 200} 201 202run_rc_command "$1" 203 204required_files= 205 206if checkyesno sendmail_submit_enable; then 207 name="sendmail_submit" 208 rcvar="sendmail_submit_enable" 209 _rc_restart_done=false 210 run_rc_command "$1" 211fi 212 213if checkyesno sendmail_outbound_enable; then 214 name="sendmail_outbound" 215 rcvar="sendmail_outbound_enable" 216 _rc_restart_done=false 217 run_rc_command "$1" 218fi 219 220name="sendmail_msp_queue" 221rcvar="sendmail_msp_queue_enable" 222pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}" 223required_files="/etc/mail/submit.cf" 224_rc_restart_done=false 225run_rc_command "$1" 226