1#!/bin/sh
2#
3#
4
5# PROVIDE: mail
6# REQUIRE: LOGIN FILESYSTEMS
7#	we make mail start late, so that things like .forward's are not
8#	processed until the system is fully operational
9# KEYWORD: shutdown
10
11# XXX - Get together with sendmail mantainer to figure out how to
12#	better handle SENDMAIL_ENABLE and 3rd party MTAs.
13#
14. /etc/rc.subr
15
16name="sendmail"
17desc="Electronic mail transport agent"
18rcvar="sendmail_enable"
19required_files="/etc/mail/${name}.cf"
20start_precmd="sendmail_precmd"
21
22: ${sendmail_svcj_options:="net_basic"}
23
24load_rc_config $name
25command=${sendmail_program:-/usr/sbin/${name}}
26pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
27procname=${sendmail_procname:-/usr/sbin/${name}}
28
29CERTDIR=/etc/mail/certs
30
31case ${sendmail_enable} in
32[Nn][Oo][Nn][Ee])
33	sendmail_enable="NO"
34	sendmail_submit_enable="NO"
35	sendmail_outbound_enable="NO"
36	sendmail_msp_queue_enable="NO"
37	;;
38esac
39
40# If sendmail_enable=yes, don't need submit or outbound daemon
41if checkyesno sendmail_enable; then
42	sendmail_submit_enable="NO"
43	sendmail_outbound_enable="NO"
44fi
45
46# If sendmail_submit_enable=yes, don't need outbound daemon
47if checkyesno sendmail_submit_enable; then
48	sendmail_outbound_enable="NO"
49fi
50
51sendmail_cert_create()
52{
53	cnname="${sendmail_cert_cn:-`hostname`}"
54	cnname="${cnname:-amnesiac}"
55
56	# based upon:
57	# http://www.sendmail.org/~ca/email/other/cagreg.html
58	CAdir=`mktemp -d` &&
59	certpass=`(date; ps ax ; hostname) | md5 -q`
60
61	# make certificate authority
62	( cd "$CAdir" &&
63	chmod 700 "$CAdir" &&
64	mkdir certs crl newcerts &&
65	echo "01" > serial &&
66	:> index.txt &&
67
68	cat <<-OPENSSL_CNF > openssl.cnf &&
69		RANDFILE	= $CAdir/.rnd
70		[ ca ]
71		default_ca	= CA_default
72		[ CA_default ]
73		dir		= .
74		certs		= \$dir/certs		# Where the issued certs are kept
75		crl_dir		= \$dir/crl		# Where the issued crl are kept
76		database	= \$dir/index.txt	# database index file.
77		new_certs_dir	= \$dir/newcerts	# default place for new certs.
78		certificate	= \$dir/cacert.pem 	# The CA certificate
79		serial		= \$dir/serial 		# The current serial number
80		crlnumber	= \$dir/crlnumber	# the current crl number
81		crl		= \$dir/crl.pem 	# The current CRL
82		private_key	= \$dir/cakey.pem
83		x509_extensions	= usr_cert		# The extensions to add to the cert
84		name_opt 	= ca_default		# Subject Name options
85		cert_opt 	= ca_default		# Certificate field options
86		default_days	= 365			# how long to certify for
87		default_crl_days= 30			# how long before next CRL
88		default_md	= default		# use public key default MD
89		preserve	= no			# keep passed DN ordering
90		policy		= policy_anything
91		[ policy_anything ]
92		countryName		= optional
93		stateOrProvinceName	= optional
94		localityName		= optional
95		organizationName	= optional
96		organizationalUnitName	= optional
97		commonName		= supplied
98		emailAddress		= optional
99		[ req ]
100		default_bits		= 2048
101		default_keyfile 	= privkey.pem
102		distinguished_name	= req_distinguished_name
103		attributes		= req_attributes
104		x509_extensions	= v3_ca	# The extensions to add to the self signed cert
105		string_mask = utf8only
106		prompt = no
107		[ req_distinguished_name ]
108		countryName			= XX
109		stateOrProvinceName		= Some-state
110		localityName			= Some-city
111		0.organizationName		= Some-org
112		CN				= $cnname
113		[ req_attributes ]
114		challengePassword		= foobar
115		unstructuredName		= An optional company name
116		[ usr_cert ]
117		basicConstraints=CA:FALSE
118		nsComment			= "OpenSSL Generated Certificate"
119		subjectKeyIdentifier=hash
120		authorityKeyIdentifier=keyid,issuer
121		[ v3_req ]
122		basicConstraints = CA:FALSE
123		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
124		[ v3_ca ]
125		subjectKeyIdentifier=hash
126		authorityKeyIdentifier=keyid:always,issuer
127		basicConstraints = CA:true
128	OPENSSL_CNF
129
130	# though we use a password, the key is discarded and never used
131	openssl req -batch -passout pass:"$certpass" -new -x509 \
132	    -keyout cakey.pem -out cacert.pem -days 3650 \
133	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
134
135	# make new certificate
136	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
137	    -out newreq.pem -days 365 -config openssl.cnf \
138	    -newkey rsa:2048 >/dev/null 2>&1 &&
139
140	# sign certificate
141	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
142	    -out tmp.pem >/dev/null 2>&1 &&
143	openssl ca -notext -config openssl.cnf \
144	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
145	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
146
147	mkdir -p "$CERTDIR" &&
148	chmod 0755 "$CERTDIR" &&
149	chmod 644 newcert.pem cacert.pem &&
150	chmod 600 newkey.pem &&
151	cp -p newcert.pem "$CERTDIR"/host.cert &&
152	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
153	cp -p newkey.pem "$CERTDIR"/host.key &&
154	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
155	    -in cacert.pem`.0)
156
157	retVal="$?"
158	rm -rf "$CAdir"
159
160	return "$retVal"
161}
162
163sendmail_precmd()
164{
165	# Die if there's pre-8.10 custom configuration file.  This check is
166	# mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
167	#
168	if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
169		if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
170			warn \
171    "${name} was not started; you have multiple copies of sendmail.cf."
172			return 1
173		fi
174	fi
175
176	# check modifications on /etc/mail/aliases
177	if checkyesno sendmail_rebuild_aliases; then
178		if [ -f "/etc/mail/aliases.db" ]; then
179			if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
180				echo \
181	    	"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
182				/usr/bin/newaliases
183			fi
184		else
185			echo \
186	    	"${name}: /etc/mail/aliases.db not present, generating"
187				/usr/bin/newaliases
188		fi
189	fi
190
191	if checkyesno sendmail_cert_create && [ ! \( \
192	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
193	    -f "$CERTDIR/cacert.pem" \) ]; then
194		if ! openssl version >/dev/null 2>&1; then
195			warn "OpenSSL not available, but sendmail_cert_create is YES."
196		else
197			info Creating certificate for sendmail.
198			sendmail_cert_create
199		fi
200	fi
201
202	if [ ! -f /var/log/sendmail.st ]; then
203		/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
204	fi
205}
206
207run_rc_command "$1"
208
209required_files=
210
211if checkyesno sendmail_submit_enable; then
212	name="sendmail_submit"
213	rcvar="sendmail_submit_enable"
214	_rc_restart_done=false
215	run_rc_command "$1"
216fi
217
218if checkyesno sendmail_outbound_enable; then
219	name="sendmail_outbound"
220	rcvar="sendmail_outbound_enable"
221	_rc_restart_done=false
222	run_rc_command "$1"
223fi
224
225name="sendmail_msp_queue"
226rcvar="sendmail_msp_queue_enable"
227pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
228required_files="/etc/mail/submit.cf"
229_rc_restart_done=false
230run_rc_command "$1"
231