sendmail revision 299826
1210284Sjmallett#!/bin/sh 2232812Sjmallett# 3215990Sjmallett# $FreeBSD: stable/10/etc/rc.d/sendmail 299826 2016-05-15 03:15:36Z pfg $ 4210284Sjmallett# 5210284Sjmallett 6215990Sjmallett# PROVIDE: mail 7215990Sjmallett# REQUIRE: LOGIN FILESYSTEMS 8215990Sjmallett# we make mail start late, so that things like .forward's are not 9210284Sjmallett# processed until the system is fully operational 10215990Sjmallett# KEYWORD: shutdown 11215990Sjmallett 12210284Sjmallett# XXX - Get together with sendmail mantainer to figure out how to 13215990Sjmallett# better handle SENDMAIL_ENABLE and 3rd party MTAs. 14215990Sjmallett# 15215990Sjmallett. /etc/rc.subr 16215990Sjmallett 17215990Sjmallettname="sendmail" 18232812Sjmallettrcvar="sendmail_enable" 19215990Sjmallettrequired_files="/etc/mail/${name}.cf" 20215990Sjmallettstart_precmd="sendmail_precmd" 21215990Sjmallett 22215990Sjmallettload_rc_config $name 23215990Sjmallettcommand=${sendmail_program:-/usr/sbin/${name}} 24215990Sjmallettpidfile=${sendmail_pidfile:-/var/run/${name}.pid} 25215990Sjmallettprocname=${sendmail_procname:-/usr/sbin/${name}} 26215990Sjmallett 27215990SjmallettCERTDIR=/etc/mail/certs 28215990Sjmallett 29232812Sjmallettcase ${sendmail_enable} in 30215990Sjmallett[Nn][Oo][Nn][Ee]) 31215990Sjmallett sendmail_enable="NO" 32215990Sjmallett sendmail_submit_enable="NO" 33215990Sjmallett sendmail_outbound_enable="NO" 34215990Sjmallett sendmail_msp_queue_enable="NO" 35215990Sjmallett ;; 36215990Sjmallettesac 37215990Sjmallett 38210284Sjmallett# If sendmail_enable=yes, don't need submit or outbound daemon 39210284Sjmallettif checkyesno sendmail_enable; then 40210284Sjmallett sendmail_submit_enable="NO" 41215990Sjmallett sendmail_outbound_enable="NO" 42210284Sjmallettfi 43210284Sjmallett 44210284Sjmallett# If sendmail_submit_enable=yes, don't need outbound daemon 45210284Sjmallettif checkyesno sendmail_submit_enable; then 46210284Sjmallett sendmail_outbound_enable="NO" 47210284Sjmallettfi 48210284Sjmallett 49210284Sjmallettsendmail_cert_create() 50210284Sjmallett{ 51210284Sjmallett cnname="${sendmail_cert_cn:-`hostname`}" 52210284Sjmallett cnname="${cnname:-amnesiac}" 53210284Sjmallett 54215990Sjmallett # based upon: 55215990Sjmallett # http://www.sendmail.org/~ca/email/other/cagreg.html 56210284Sjmallett CAdir=`mktemp -d` && 57210284Sjmallett certpass=`(date; ps ax ; hostname) | md5 -q` 58210284Sjmallett 59210284Sjmallett # make certificate authority 60210284Sjmallett ( cd "$CAdir" && 61210284Sjmallett chmod 700 "$CAdir" && 62215990Sjmallett mkdir certs crl newcerts && 63215990Sjmallett echo "01" > serial && 64210284Sjmallett :> index.txt && 65210284Sjmallett 66210284Sjmallett cat <<-OPENSSL_CNF > openssl.cnf && 67215990Sjmallett RANDFILE = $CAdir/.rnd 68210284Sjmallett [ ca ] 69210284Sjmallett default_ca = CA_default 70210284Sjmallett [ CA_default ] 71210284Sjmallett dir = . 72210284Sjmallett certs = \$dir/certs # Where the issued certs are kept 73210284Sjmallett crl_dir = \$dir/crl # Where the issued crl are kept 74210284Sjmallett database = \$dir/index.txt # database index file. 75210284Sjmallett new_certs_dir = \$dir/newcerts # default place for new certs. 76210284Sjmallett certificate = \$dir/cacert.pem # The CA certificate 77210284Sjmallett serial = \$dir/serial # The current serial number 78210284Sjmallett crlnumber = \$dir/crlnumber # the current crl number 79210284Sjmallett crl = \$dir/crl.pem # The current CRL 80210284Sjmallett private_key = \$dir/cakey.pem 81210284Sjmallett x509_extensions = usr_cert # The extensions to add to the cert 82210284Sjmallett name_opt = ca_default # Subject Name options 83210284Sjmallett cert_opt = ca_default # Certificate field options 84210284Sjmallett default_days = 365 # how long to certify for 85210284Sjmallett default_crl_days= 30 # how long before next CRL 86210284Sjmallett default_md = default # use public key default MD 87210284Sjmallett preserve = no # keep passed DN ordering 88210284Sjmallett policy = policy_anything 89210284Sjmallett [ policy_anything ] 90210284Sjmallett countryName = optional 91215990Sjmallett stateOrProvinceName = optional 92210284Sjmallett localityName = optional 93210284Sjmallett organizationName = optional 94210284Sjmallett organizationalUnitName = optional 95210284Sjmallett commonName = supplied 96210284Sjmallett emailAddress = optional 97210284Sjmallett [ req ] 98210284Sjmallett default_bits = 2048 99210284Sjmallett default_keyfile = privkey.pem 100210284Sjmallett distinguished_name = req_distinguished_name 101210284Sjmallett attributes = req_attributes 102210284Sjmallett x509_extensions = v3_ca # The extensions to add to the self signed cert 103210284Sjmallett string_mask = utf8only 104210284Sjmallett prompt = no 105210284Sjmallett [ req_distinguished_name ] 106210284Sjmallett countryName = XX 107210284Sjmallett stateOrProvinceName = Some-state 108210284Sjmallett localityName = Some-city 109210284Sjmallett 0.organizationName = Some-org 110210284Sjmallett CN = $cnname 111210284Sjmallett [ req_attributes ] 112210284Sjmallett challengePassword = foobar 113210284Sjmallett unstructuredName = An optional company name 114210284Sjmallett [ usr_cert ] 115210284Sjmallett basicConstraints=CA:FALSE 116210284Sjmallett nsComment = "OpenSSL Generated Certificate" 117210284Sjmallett subjectKeyIdentifier=hash 118210284Sjmallett authorityKeyIdentifier=keyid,issuer 119210284Sjmallett [ v3_req ] 120210284Sjmallett basicConstraints = CA:FALSE 121210284Sjmallett keyUsage = nonRepudiation, digitalSignature, keyEncipherment 122210284Sjmallett [ v3_ca ] 123210284Sjmallett subjectKeyIdentifier=hash 124210284Sjmallett authorityKeyIdentifier=keyid:always,issuer 125210284Sjmallett basicConstraints = CA:true 126210284Sjmallett OPENSSL_CNF 127210284Sjmallett 128210284Sjmallett # though we use a password, the key is discarded and never used 129210284Sjmallett openssl req -batch -passout pass:"$certpass" -new -x509 \ 130210284Sjmallett -keyout cakey.pem -out cacert.pem -days 3650 \ 131210284Sjmallett -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 && 132210284Sjmallett 133210284Sjmallett # make new certificate 134210284Sjmallett openssl req -batch -nodes -new -x509 -keyout newkey.pem \ 135210284Sjmallett -out newreq.pem -days 365 -config openssl.cnf \ 136210284Sjmallett -newkey rsa:2048 >/dev/null 2>&1 && 137210284Sjmallett 138210284Sjmallett # sign certificate 139210284Sjmallett openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \ 140210284Sjmallett -out tmp.pem >/dev/null 2>&1 && 141210284Sjmallett openssl ca -notext -config openssl.cnf \ 142210284Sjmallett -out newcert.pem -keyfile cakey.pem -cert cacert.pem \ 143210284Sjmallett -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 && 144210284Sjmallett 145210284Sjmallett mkdir -p "$CERTDIR" && 146210284Sjmallett chmod 0755 "$CERTDIR" && 147210284Sjmallett chmod 644 newcert.pem cacert.pem && 148210284Sjmallett chmod 600 newkey.pem && 149210284Sjmallett cp -p newcert.pem "$CERTDIR"/host.cert && 150210284Sjmallett cp -p cacert.pem "$CERTDIR"/cacert.pem && 151215990Sjmallett cp -p newkey.pem "$CERTDIR"/host.key && 152210284Sjmallett ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \ 153210284Sjmallett -in cacert.pem`.0) 154215990Sjmallett 155210284Sjmallett retVal="$?" 156210284Sjmallett rm -rf "$CAdir" 157210284Sjmallett 158215990Sjmallett return "$retVal" 159210284Sjmallett} 160215990Sjmallett 161210284Sjmallettsendmail_precmd() 162210284Sjmallett{ 163210284Sjmallett # Die if there's pre-8.10 custom configuration file. This check is 164210284Sjmallett # mandatory for smooth upgrade. See NetBSD PR 10100 for details. 165210284Sjmallett # 166215990Sjmallett if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then 167210284Sjmallett if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then 168210284Sjmallett warn \ 169215990Sjmallett "${name} was not started; you have multiple copies of sendmail.cf." 170210284Sjmallett return 1 171210284Sjmallett fi 172210284Sjmallett fi 173215990Sjmallett 174210284Sjmallett # check modifications on /etc/mail/aliases 175215990Sjmallett if checkyesno sendmail_rebuild_aliases; then 176210284Sjmallett if [ -f "/etc/mail/aliases.db" ]; then 177210284Sjmallett if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then 178210284Sjmallett echo \ 179210284Sjmallett "${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating" 180210284Sjmallett /usr/bin/newaliases 181210284Sjmallett fi 182210284Sjmallett else 183210284Sjmallett echo \ 184210284Sjmallett "${name}: /etc/mail/aliases.db not present, generating" 185210284Sjmallett /usr/bin/newaliases 186210284Sjmallett fi 187210284Sjmallett fi 188210284Sjmallett 189210284Sjmallett if checkyesno sendmail_cert_create && [ ! \( \ 190210284Sjmallett -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \ 191210284Sjmallett -f "$CERTDIR/cacert.pem" \) ]; then 192210284Sjmallett if ! openssl version >/dev/null 2>&1; then 193210284Sjmallett warn "OpenSSL not available, but sendmail_cert_create is YES." 194210284Sjmallett else 195215990Sjmallett info Creating certificate for sendmail. 196210284Sjmallett sendmail_cert_create 197215990Sjmallett fi 198210284Sjmallett fi 199215990Sjmallett} 200210284Sjmallett 201210284Sjmallettrun_rc_command "$1" 202210284Sjmallett 203210284Sjmallettrequired_files= 204210284Sjmallett 205210284Sjmallettif checkyesno sendmail_submit_enable; then 206210284Sjmallett name="sendmail_submit" 207210284Sjmallett rcvar="sendmail_submit_enable" 208210284Sjmallett run_rc_command "$1" 209210284Sjmallettfi 210210284Sjmallett 211215990Sjmallettif checkyesno sendmail_outbound_enable; then 212210284Sjmallett name="sendmail_outbound" 213215990Sjmallett rcvar="sendmail_outbound_enable" 214210284Sjmallett run_rc_command "$1" 215210284Sjmallettfi 216215990Sjmallett 217210284Sjmallettname="sendmail_msp_queue" 218215990Sjmallettrcvar="sendmail_msp_queue_enable" 219215990Sjmallettpidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}" 220210284Sjmallettrequired_files="/etc/mail/submit.cf" 221210284Sjmallettrun_rc_command "$1" 222215990Sjmallett