7 # REQUIRE: LOGIN FILESYSTEMS
8 # we make mail start late, so that things like .forward's are not
9 # processed until the system is fully operational
12 # XXX - Get together with sendmail mantainer to figure out how to
13 # better handle SENDMAIL_ENABLE and 3rd party MTAs.
18 desc="Electronic mail transport agent"
19 rcvar="sendmail_enable"
20 required_files="/etc/mail/${name}.cf"
21 start_precmd="sendmail_precmd"
24 command=${sendmail_program:-/usr/sbin/${name}}
25 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
26 procname=${sendmail_procname:-/usr/sbin/${name}}
28 CERTDIR=/etc/mail/certs
30 case ${sendmail_enable} in
33 sendmail_submit_enable="NO"
34 sendmail_outbound_enable="NO"
35 sendmail_msp_queue_enable="NO"
39 # If sendmail_enable=yes, don't need submit or outbound daemon
40 if checkyesno sendmail_enable; then
41 sendmail_submit_enable="NO"
42 sendmail_outbound_enable="NO"
45 # If sendmail_submit_enable=yes, don't need outbound daemon
46 if checkyesno sendmail_submit_enable; then
47 sendmail_outbound_enable="NO"
50 sendmail_cert_create()
52 cnname="${sendmail_cert_cn:-`hostname`}"
53 cnname="${cnname:-amnesiac}"
56 # http://www.sendmail.org/~ca/email/other/cagreg.html
58 certpass=`(date; ps ax ; hostname) | md5 -q`
60 # make certificate authority
63 mkdir certs crl newcerts &&
67 cat <<-OPENSSL_CNF > openssl.cnf &&
68 RANDFILE = $CAdir/.rnd
70 default_ca = CA_default
73 certs = \$dir/certs # Where the issued certs are kept
74 crl_dir = \$dir/crl # Where the issued crl are kept
75 database = \$dir/index.txt # database index file.
76 new_certs_dir = \$dir/newcerts # default place for new certs.
77 certificate = \$dir/cacert.pem # The CA certificate
78 serial = \$dir/serial # The current serial number
79 crlnumber = \$dir/crlnumber # the current crl number
80 crl = \$dir/crl.pem # The current CRL
81 private_key = \$dir/cakey.pem
82 x509_extensions = usr_cert # The extensions to add to the cert
83 name_opt = ca_default # Subject Name options
84 cert_opt = ca_default # Certificate field options
85 default_days = 365 # how long to certify for
86 default_crl_days= 30 # how long before next CRL
87 default_md = default # use public key default MD
88 preserve = no # keep passed DN ordering
89 policy = policy_anything
91 countryName = optional
92 stateOrProvinceName = optional
93 localityName = optional
94 organizationName = optional
95 organizationalUnitName = optional
97 emailAddress = optional
100 default_keyfile = privkey.pem
101 distinguished_name = req_distinguished_name
102 attributes = req_attributes
103 x509_extensions = v3_ca # The extensions to add to the self signed cert
104 string_mask = utf8only
106 [ req_distinguished_name ]
108 stateOrProvinceName = Some-state
109 localityName = Some-city
110 0.organizationName = Some-org
113 challengePassword = foobar
114 unstructuredName = An optional company name
116 basicConstraints=CA:FALSE
117 nsComment = "OpenSSL Generated Certificate"
118 subjectKeyIdentifier=hash
119 authorityKeyIdentifier=keyid,issuer
121 basicConstraints = CA:FALSE
122 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
124 subjectKeyIdentifier=hash
125 authorityKeyIdentifier=keyid:always,issuer
126 basicConstraints = CA:true
129 # though we use a password, the key is discarded and never used
130 openssl req -batch -passout pass:"$certpass" -new -x509 \
131 -keyout cakey.pem -out cacert.pem -days 3650 \
132 -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
134 # make new certificate
135 openssl req -batch -nodes -new -x509 -keyout newkey.pem \
136 -out newreq.pem -days 365 -config openssl.cnf \
137 -newkey rsa:2048 >/dev/null 2>&1 &&
140 openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
141 -out tmp.pem >/dev/null 2>&1 &&
142 openssl ca -notext -config openssl.cnf \
143 -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
144 -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
146 mkdir -p "$CERTDIR" &&
147 chmod 0755 "$CERTDIR" &&
148 chmod 644 newcert.pem cacert.pem &&
149 chmod 600 newkey.pem &&
150 cp -p newcert.pem "$CERTDIR"/host.cert &&
151 cp -p cacert.pem "$CERTDIR"/cacert.pem &&
152 cp -p newkey.pem "$CERTDIR"/host.key &&
153 ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
164 # Die if there's pre-8.10 custom configuration file. This check is
165 # mandatory for smooth upgrade. See NetBSD PR 10100 for details.
167 if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
168 if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
170 "${name} was not started; you have multiple copies of sendmail.cf."
175 # check modifications on /etc/mail/aliases
176 if checkyesno sendmail_rebuild_aliases; then
177 if [ -f "/etc/mail/aliases.db" ]; then
178 if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
180 "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
185 "${name}: /etc/mail/aliases.db not present, generating"
190 if checkyesno sendmail_cert_create && [ ! \( \
191 -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
192 -f "$CERTDIR/cacert.pem" \) ]; then
193 if ! openssl version >/dev/null 2>&1; then
194 warn "OpenSSL not available, but sendmail_cert_create is YES."
196 info Creating certificate for sendmail.
201 if [ ! -f /var/log/sendmail.st ]; then
202 /usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
210 if checkyesno sendmail_submit_enable; then
211 name="sendmail_submit"
212 rcvar="sendmail_submit_enable"
213 _rc_restart_done=false
217 if checkyesno sendmail_outbound_enable; then
218 name="sendmail_outbound"
219 rcvar="sendmail_outbound_enable"
220 _rc_restart_done=false
224 name="sendmail_msp_queue"
225 rcvar="sendmail_msp_queue_enable"
226 pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
227 required_files="/etc/mail/submit.cf"
228 _rc_restart_done=false