7 # REQUIRE: LOGIN FILESYSTEMS
8 # we make mail start late, so that things like .forward's are not
9 # processed until the system is fully operational
12 # XXX - Get together with sendmail mantainer to figure out how to
13 # better handle SENDMAIL_ENABLE and 3rd party MTAs.
18 rcvar="sendmail_enable"
19 required_files="/etc/mail/${name}.cf"
20 start_precmd="sendmail_precmd"
23 command=${sendmail_program:-/usr/sbin/${name}}
24 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
25 procname=${sendmail_procname:-/usr/sbin/${name}}
27 CERTDIR=/etc/mail/certs
29 case ${sendmail_enable} in
32 sendmail_submit_enable="NO"
33 sendmail_outbound_enable="NO"
34 sendmail_msp_queue_enable="NO"
38 # If sendmail_enable=yes, don't need submit or outbound daemon
39 if checkyesno sendmail_enable; then
40 sendmail_submit_enable="NO"
41 sendmail_outbound_enable="NO"
44 # If sendmail_submit_enable=yes, don't need outbound daemon
45 if checkyesno sendmail_submit_enable; then
46 sendmail_outbound_enable="NO"
49 sendmail_cert_create()
51 cnname="${sendmail_cert_cn:-`hostname`}"
52 cnname="${cnname:-amnesiac}"
55 # http://www.sendmail.org/~ca/email/other/cagreg.html
57 certpass=`(date; ps ax ; hostname) | md5 -q`
59 # make certificate authority
62 mkdir certs crl newcerts &&
66 cat <<-OPENSSL_CNF > openssl.cnf &&
67 RANDFILE = $CAdir/.rnd
69 default_ca = CA_default
72 certs = \$dir/certs # Where the issued certs are kept
73 crl_dir = \$dir/crl # Where the issued crl are kept
74 database = \$dir/index.txt # database index file.
75 new_certs_dir = \$dir/newcerts # default place for new certs.
76 certificate = \$dir/cacert.pem # The CA certificate
77 serial = \$dir/serial # The current serial number
78 crlnumber = \$dir/crlnumber # the current crl number
79 crl = \$dir/crl.pem # The current CRL
80 private_key = \$dir/cakey.pem
81 x509_extensions = usr_cert # The extentions to add to the cert
82 name_opt = ca_default # Subject Name options
83 cert_opt = ca_default # Certificate field options
84 default_days = 365 # how long to certify for
85 default_crl_days= 30 # how long before next CRL
86 default_md = default # use public key default MD
87 preserve = no # keep passed DN ordering
88 policy = policy_anything
90 countryName = optional
91 stateOrProvinceName = optional
92 localityName = optional
93 organizationName = optional
94 organizationalUnitName = optional
96 emailAddress = optional
99 default_keyfile = privkey.pem
100 distinguished_name = req_distinguished_name
101 attributes = req_attributes
102 x509_extensions = v3_ca # The extentions to add to the self signed cert
103 string_mask = utf8only
105 [ req_distinguished_name ]
107 stateOrProvinceName = Some-state
108 localityName = Some-city
109 0.organizationName = Some-org
112 challengePassword = foobar
113 unstructuredName = An optional company name
115 basicConstraints=CA:FALSE
116 nsComment = "OpenSSL Generated Certificate"
117 subjectKeyIdentifier=hash
118 authorityKeyIdentifier=keyid,issuer
120 basicConstraints = CA:FALSE
121 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
123 subjectKeyIdentifier=hash
124 authorityKeyIdentifier=keyid:always,issuer
125 basicConstraints = CA:true
128 # though we use a password, the key is discarded and never used
129 openssl req -batch -passout pass:"$certpass" -new -x509 \
130 -keyout cakey.pem -out cacert.pem -days 3650 \
131 -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
133 # make new certificate
134 openssl req -batch -nodes -new -x509 -keyout newkey.pem \
135 -out newreq.pem -days 365 -config openssl.cnf \
136 -newkey rsa:2048 >/dev/null 2>&1 &&
139 openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
140 -out tmp.pem >/dev/null 2>&1 &&
141 openssl ca -notext -config openssl.cnf \
142 -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
143 -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
145 mkdir -p "$CERTDIR" &&
146 chmod 0755 "$CERTDIR" &&
147 chmod 644 newcert.pem cacert.pem &&
148 chmod 600 newkey.pem &&
149 cp -p newcert.pem "$CERTDIR"/host.cert &&
150 cp -p cacert.pem "$CERTDIR"/cacert.pem &&
151 cp -p newkey.pem "$CERTDIR"/host.key &&
152 ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
163 # Die if there's pre-8.10 custom configuration file. This check is
164 # mandatory for smooth upgrade. See NetBSD PR 10100 for details.
166 if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
167 if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
169 "${name} was not started; you have multiple copies of sendmail.cf."
174 # check modifications on /etc/mail/aliases
175 if checkyesno sendmail_rebuild_aliases; then
176 if [ -f "/etc/mail/aliases.db" ]; then
177 if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
179 "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
184 "${name}: /etc/mail/aliases.db not present, generating"
189 if checkyesno sendmail_cert_create && [ ! \( \
190 -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
191 -f "$CERTDIR/cacert.pem" \) ]; then
192 if ! openssl version >/dev/null 2>&1; then
193 warn "OpenSSL not available, but sendmail_cert_create is YES."
195 info Creating certificate for sendmail.
205 if checkyesno sendmail_submit_enable; then
206 name="sendmail_submit"
207 rcvar="sendmail_submit_enable"
211 if checkyesno sendmail_outbound_enable; then
212 name="sendmail_outbound"
213 rcvar="sendmail_outbound_enable"
217 name="sendmail_msp_queue"
218 rcvar="sendmail_msp_queue_enable"
219 pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
220 required_files="/etc/mail/submit.cf"