etc/rc.d/sendmail

   1 #!/bin/sh
   2 #
   3 # $FreeBSD$
   4 #
   5
   6 # PROVIDE: mail
   7 # REQUIRE: LOGIN FILESYSTEMS
   8 #       we make mail start late, so that things like .forward's are not
   9 #       processed until the system is fully operational
  10 # KEYWORD: shutdown
  11
  12 # XXX - Get together with sendmail mantainer to figure out how to
  13 #       better handle SENDMAIL_ENABLE and 3rd party MTAs.
  14 #
  15 . /etc/rc.subr
  16
  17 name="sendmail"
  18 rcvar="sendmail_enable"
  19 required_files="/etc/mail/${name}.cf"
  20 start_precmd="sendmail_precmd"
  21
  22 load_rc_config $name
  23 command=${sendmail_program:-/usr/sbin/${name}}
  24 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
  25 procname=${sendmail_procname:-/usr/sbin/${name}}
  26
  27 CERTDIR=/etc/mail/certs
  28
  29 case ${sendmail_enable} in
  30 [Nn][Oo][Nn][Ee])
  31         sendmail_enable="NO"
  32         sendmail_submit_enable="NO"
  33         sendmail_outbound_enable="NO"
  34         sendmail_msp_queue_enable="NO"
  35         ;;
  36 esac
  37
  38 # If sendmail_enable=yes, don't need submit or outbound daemon
  39 if checkyesno sendmail_enable; then
  40         sendmail_submit_enable="NO"
  41         sendmail_outbound_enable="NO"
  42 fi
  43
  44 # If sendmail_submit_enable=yes, don't need outbound daemon
  45 if checkyesno sendmail_submit_enable; then
  46         sendmail_outbound_enable="NO"
  47 fi
  48
  49 sendmail_cert_create()
  50 {
  51         cnname="${sendmail_cert_cn:-`hostname`}"
  52         cnname="${cnname:-amnesiac}"
  53
  54         # based upon:
  55         # http://www.sendmail.org/~ca/email/other/cagreg.html
  56         CAdir=`mktemp -d` &&
  57         certpass=`(date; ps ax ; hostname) | md5 -q`
  58
  59         # make certificate authority
  60         ( cd "$CAdir" &&
  61         chmod 700 "$CAdir" &&
  62         mkdir certs crl newcerts &&
  63         echo "01" > serial &&
  64         :> index.txt &&
  65
  66         cat <<-OPENSSL_CNF > openssl.cnf &&
  67                 RANDFILE        = $CAdir/.rnd
  68                 [ ca ]
  69                 default_ca      = CA_default
  70                 [ CA_default ]
  71                 dir             = .
  72                 certs           = \$dir/certs           # Where the issued certs are kept
  73                 crl_dir         = \$dir/crl             # Where the issued crl are kept
  74                 database        = \$dir/index.txt       # database index file.
  75                 new_certs_dir   = \$dir/newcerts        # default place for new certs.
  76                 certificate     = \$dir/cacert.pem      # The CA certificate
  77                 serial          = \$dir/serial          # The current serial number
  78                 crlnumber       = \$dir/crlnumber       # the current crl number
  79                 crl             = \$dir/crl.pem         # The current CRL
  80                 private_key     = \$dir/cakey.pem
  81                 x509_extensions = usr_cert              # The extentions to add to the cert
  82                 name_opt        = ca_default            # Subject Name options
  83                 cert_opt        = ca_default            # Certificate field options
  84                 default_days    = 365                   # how long to certify for
  85                 default_crl_days= 30                    # how long before next CRL
  86                 default_md      = default               # use public key default MD
  87                 preserve        = no                    # keep passed DN ordering
  88                 policy          = policy_anything
  89                 [ policy_anything ]
  90                 countryName             = optional
  91                 stateOrProvinceName     = optional
  92                 localityName            = optional
  93                 organizationName        = optional
  94                 organizationalUnitName  = optional
  95                 commonName              = supplied
  96                 emailAddress            = optional
  97                 [ req ]
  98                 default_bits            = 2048
  99                 default_keyfile         = privkey.pem
 100                 distinguished_name      = req_distinguished_name
 101                 attributes              = req_attributes
 102                 x509_extensions = v3_ca # The extentions to add to the self signed cert
 103                 string_mask = utf8only
 104                 prompt = no
 105                 [ req_distinguished_name ]
 106                 countryName                     = XX
 107                 stateOrProvinceName             = Some-state
 108                 localityName                    = Some-city
 109                 0.organizationName              = Some-org
 110                 CN                              = $cnname
 111                 [ req_attributes ]
 112                 challengePassword               = foobar
 113                 unstructuredName                = An optional company name
 114                 [ usr_cert ]
 115                 basicConstraints=CA:FALSE
 116                 nsComment                       = "OpenSSL Generated Certificate"
 117                 subjectKeyIdentifier=hash
 118                 authorityKeyIdentifier=keyid,issuer
 119                 [ v3_req ]
 120                 basicConstraints = CA:FALSE
 121                 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 122                 [ v3_ca ]
 123                 subjectKeyIdentifier=hash
 124                 authorityKeyIdentifier=keyid:always,issuer
 125                 basicConstraints = CA:true
 126         OPENSSL_CNF
 127
 128         # though we use a password, the key is discarded and never used
 129         openssl req -batch -passout pass:"$certpass" -new -x509 \
 130             -keyout cakey.pem -out cacert.pem -days 3650 \
 131             -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
 132
 133         # make new certificate
 134         openssl req -batch -nodes -new -x509 -keyout newkey.pem \
 135             -out newreq.pem -days 365 -config openssl.cnf \
 136             -newkey rsa:2048 >/dev/null 2>&1 &&
 137
 138         # sign certificate
 139         openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
 140             -out tmp.pem >/dev/null 2>&1 &&
 141         openssl ca -notext -config openssl.cnf \
 142             -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
 143             -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
 144
 145         mkdir -p "$CERTDIR" &&
 146         chmod 0755 "$CERTDIR" &&
 147         chmod 644 newcert.pem cacert.pem &&
 148         chmod 600 newkey.pem &&
 149         cp -p newcert.pem "$CERTDIR"/host.cert &&
 150         cp -p cacert.pem "$CERTDIR"/cacert.pem &&
 151         cp -p newkey.pem "$CERTDIR"/host.key &&
 152         ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
 153             -in cacert.pem`.0)
 154
 155         retVal="$?"
 156         rm -rf "$CAdir"
 157
 158         return "$retVal"
 159 }
 160
 161 sendmail_precmd()
 162 {
 163         # Die if there's pre-8.10 custom configuration file.  This check is
 164         # mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
 165         #
 166         if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
 167                 if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
 168                         warn \
 169     "${name} was not started; you have multiple copies of sendmail.cf."
 170                         return 1
 171                 fi
 172         fi
 173
 174         # check modifications on /etc/mail/aliases
 175         if checkyesno sendmail_rebuild_aliases; then
 176                 if [ -f "/etc/mail/aliases.db" ]; then
 177                         if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
 178                                 echo \
 179                 "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
 180                                 /usr/bin/newaliases
 181                         fi
 182                 else
 183                         echo \
 184                 "${name}: /etc/mail/aliases.db not present, generating"
 185                                 /usr/bin/newaliases
 186                 fi
 187         fi
 188
 189         if checkyesno sendmail_cert_create && [ ! \( \
 190             -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
 191             -f "$CERTDIR/cacert.pem" \) ]; then
 192                 if ! openssl version >/dev/null 2>&1; then
 193                         warn "OpenSSL not available, but sendmail_cert_create is YES."
 194                 else
 195                         info Creating certificate for sendmail.
 196                         sendmail_cert_create
 197                 fi
 198         fi
 199 }
 200
 201 run_rc_command "$1"
 202
 203 required_files=
 204
 205 if checkyesno sendmail_submit_enable; then
 206         name="sendmail_submit"
 207         rcvar="sendmail_submit_enable"
 208         run_rc_command "$1"
 209 fi
 210
 211 if checkyesno sendmail_outbound_enable; then
 212         name="sendmail_outbound"
 213         rcvar="sendmail_outbound_enable"
 214         run_rc_command "$1"
 215 fi
 216
 217 name="sendmail_msp_queue"
 218 rcvar="sendmail_msp_queue_enable"
 219 pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
 220 required_files="/etc/mail/submit.cf"
 221 run_rc_command "$1"