]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/blob - etc/rc.d/sendmail
projects / FreeBSD / FreeBSD.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'releng/11.3' into releng-CDN/11.3
[FreeBSD/FreeBSD.git] / etc / rc.d / sendmail
1 #!/bin/sh
2 #
3 # $FreeBSD$
4 #
5
6 # PROVIDE: mail
7 # REQUIRE: LOGIN FILESYSTEMS
8 #       we make mail start late, so that things like .forward's are not
9 #       processed until the system is fully operational
10 # KEYWORD: shutdown
11
12 # XXX - Get together with sendmail mantainer to figure out how to
13 #       better handle SENDMAIL_ENABLE and 3rd party MTAs.
14 #
15 . /etc/rc.subr
16
17 name="sendmail"
18 desc="Electronic mail transport agent"
19 rcvar="sendmail_enable"
20 required_files="/etc/mail/${name}.cf"
21 start_precmd="sendmail_precmd"
22
23 load_rc_config $name
24 command=${sendmail_program:-/usr/sbin/${name}}
25 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
26 procname=${sendmail_procname:-/usr/sbin/${name}}
27
28 CERTDIR=/etc/mail/certs
29
30 case ${sendmail_enable} in
31 [Nn][Oo][Nn][Ee])
32         sendmail_enable="NO"
33         sendmail_submit_enable="NO"
34         sendmail_outbound_enable="NO"
35         sendmail_msp_queue_enable="NO"
36         ;;
37 esac
38
39 # If sendmail_enable=yes, don't need submit or outbound daemon
40 if checkyesno sendmail_enable; then
41         sendmail_submit_enable="NO"
42         sendmail_outbound_enable="NO"
43 fi
44
45 # If sendmail_submit_enable=yes, don't need outbound daemon
46 if checkyesno sendmail_submit_enable; then
47         sendmail_outbound_enable="NO"
48 fi
49
50 sendmail_cert_create()
51 {
52         cnname="${sendmail_cert_cn:-`hostname`}"
53         cnname="${cnname:-amnesiac}"
54
55         # based upon:
56         # http://www.sendmail.org/~ca/email/other/cagreg.html
57         CAdir=`mktemp -d` &&
58         certpass=`(date; ps ax ; hostname) | md5 -q`
59
60         # make certificate authority
61         ( cd "$CAdir" &&
62         chmod 700 "$CAdir" &&
63         mkdir certs crl newcerts &&
64         echo "01" > serial &&
65         :> index.txt &&
66
67         cat <<-OPENSSL_CNF > openssl.cnf &&
68                 RANDFILE        = $CAdir/.rnd
69                 [ ca ]
70                 default_ca      = CA_default
71                 [ CA_default ]
72                 dir             = .
73                 certs           = \$dir/certs           # Where the issued certs are kept
74                 crl_dir         = \$dir/crl             # Where the issued crl are kept
75                 database        = \$dir/index.txt       # database index file.
76                 new_certs_dir   = \$dir/newcerts        # default place for new certs.
77                 certificate     = \$dir/cacert.pem      # The CA certificate
78                 serial          = \$dir/serial          # The current serial number
79                 crlnumber       = \$dir/crlnumber       # the current crl number
80                 crl             = \$dir/crl.pem         # The current CRL
81                 private_key     = \$dir/cakey.pem
82                 x509_extensions = usr_cert              # The extensions to add to the cert
83                 name_opt        = ca_default            # Subject Name options
84                 cert_opt        = ca_default            # Certificate field options
85                 default_days    = 365                   # how long to certify for
86                 default_crl_days= 30                    # how long before next CRL
87                 default_md      = default               # use public key default MD
88                 preserve        = no                    # keep passed DN ordering
89                 policy          = policy_anything
90                 [ policy_anything ]
91                 countryName             = optional
92                 stateOrProvinceName     = optional
93                 localityName            = optional
94                 organizationName        = optional
95                 organizationalUnitName  = optional
96                 commonName              = supplied
97                 emailAddress            = optional
98                 [ req ]
99                 default_bits            = 2048
100                 default_keyfile         = privkey.pem
101                 distinguished_name      = req_distinguished_name
102                 attributes              = req_attributes
103                 x509_extensions = v3_ca # The extensions to add to the self signed cert
104                 string_mask = utf8only
105                 prompt = no
106                 [ req_distinguished_name ]
107                 countryName                     = XX
108                 stateOrProvinceName             = Some-state
109                 localityName                    = Some-city
110                 0.organizationName              = Some-org
111                 CN                              = $cnname
112                 [ req_attributes ]
113                 challengePassword               = foobar
114                 unstructuredName                = An optional company name
115                 [ usr_cert ]
116                 basicConstraints=CA:FALSE
117                 nsComment                       = "OpenSSL Generated Certificate"
118                 subjectKeyIdentifier=hash
119                 authorityKeyIdentifier=keyid,issuer
120                 [ v3_req ]
121                 basicConstraints = CA:FALSE
122                 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
123                 [ v3_ca ]
124                 subjectKeyIdentifier=hash
125                 authorityKeyIdentifier=keyid:always,issuer
126                 basicConstraints = CA:true
127         OPENSSL_CNF
128
129         # though we use a password, the key is discarded and never used
130         openssl req -batch -passout pass:"$certpass" -new -x509 \
131             -keyout cakey.pem -out cacert.pem -days 3650 \
132             -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
133
134         # make new certificate
135         openssl req -batch -nodes -new -x509 -keyout newkey.pem \
136             -out newreq.pem -days 365 -config openssl.cnf \
137             -newkey rsa:2048 >/dev/null 2>&1 &&
138
139         # sign certificate
140         openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
141             -out tmp.pem >/dev/null 2>&1 &&
142         openssl ca -notext -config openssl.cnf \
143             -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
144             -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
145
146         mkdir -p "$CERTDIR" &&
147         chmod 0755 "$CERTDIR" &&
148         chmod 644 newcert.pem cacert.pem &&
149         chmod 600 newkey.pem &&
150         cp -p newcert.pem "$CERTDIR"/host.cert &&
151         cp -p cacert.pem "$CERTDIR"/cacert.pem &&
152         cp -p newkey.pem "$CERTDIR"/host.key &&
153         ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
154             -in cacert.pem`.0)
155
156         retVal="$?"
157         rm -rf "$CAdir"
158
159         return "$retVal"
160 }
161
162 sendmail_precmd()
163 {
164         # Die if there's pre-8.10 custom configuration file.  This check is
165         # mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
166         #
167         if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
168                 if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
169                         warn \
170     "${name} was not started; you have multiple copies of sendmail.cf."
171                         return 1
172                 fi
173         fi
174
175         # check modifications on /etc/mail/aliases
176         if checkyesno sendmail_rebuild_aliases; then
177                 if [ -f "/etc/mail/aliases.db" ]; then
178                         if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
179                                 echo \
180                 "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
181                                 /usr/bin/newaliases
182                         fi
183                 else
184                         echo \
185                 "${name}: /etc/mail/aliases.db not present, generating"
186                                 /usr/bin/newaliases
187                 fi
188         fi
189
190         if checkyesno sendmail_cert_create && [ ! \( \
191             -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
192             -f "$CERTDIR/cacert.pem" \) ]; then
193                 if ! openssl version >/dev/null 2>&1; then
194                         warn "OpenSSL not available, but sendmail_cert_create is YES."
195                 else
196                         info Creating certificate for sendmail.
197                         sendmail_cert_create
198                 fi
199         fi
200 }
201
202 run_rc_command "$1"
203
204 required_files=
205
206 if checkyesno sendmail_submit_enable; then
207         name="sendmail_submit"
208         rcvar="sendmail_submit_enable"
209         _rc_restart_done=false
210         run_rc_command "$1"
211 fi
212
213 if checkyesno sendmail_outbound_enable; then
214         name="sendmail_outbound"
215         rcvar="sendmail_outbound_enable"
216         _rc_restart_done=false
217         run_rc_command "$1"
218 fi
219
220 name="sendmail_msp_queue"
221 rcvar="sendmail_msp_queue_enable"
222 pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
223 required_files="/etc/mail/submit.cf"
224 _rc_restart_done=false
225 run_rc_command "$1"
Unnamed repository; edit this file 'description' to name the repository.