[Midnightbsd-cvs] src [7042] trunk: bring in a useful feature from FreeBSD.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Jun 18 20:57:25 EDT 2015 

Revision: 7042
          http://svnweb.midnightbsd.org/src/?rev=7042
Author:   laffer1
Date:     2015-06-18 20:57:24 -0400 (Thu, 18 Jun 2015)
Log Message:
-----------
bring in a useful feature from FreeBSD. Generate SSL certificates automatically for sendmail

Modified Paths:
--------------
    trunk/etc/defaults/rc.conf
    trunk/etc/rc.d/sendmail
    trunk/etc/sendmail/freebsd.mc
    trunk/share/man/man8/rc.sendmail.8

Modified: trunk/etc/defaults/rc.conf
===================================================================
--- trunk/etc/defaults/rc.conf	2015-06-19 00:16:01 UTC (rev 7041)
+++ trunk/etc/defaults/rc.conf	2015-06-19 00:57:24 UTC (rev 7042)
@@ -574,6 +574,8 @@
 sendmail_pidfile="/var/run/sendmail.pid"	# sendmail pid file
 sendmail_procname="/usr/sbin/sendmail"		# sendmail process name
 sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
+sendmail_cert_create="YES"	# Create a server certificate if none (YES/NO)
+sendmail_cert_cn="CN"		# CN of the generated certificate
 sendmail_submit_enable="YES"	# Start a localhost-only MTA for mail submission
 sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
 				# Flags for localhost-only MTA

Modified: trunk/etc/rc.d/sendmail
===================================================================
--- trunk/etc/rc.d/sendmail	2015-06-19 00:16:01 UTC (rev 7041)
+++ trunk/etc/rc.d/sendmail	2015-06-19 00:57:24 UTC (rev 7042)
@@ -1,5 +1,6 @@
 #!/bin/sh
 #
+# $FreeBSD: stable/10/etc/rc.d/sendmail 256982 2013-10-23 16:55:20Z jmg $
 # $MidnightBSD$
 
 # PROVIDE: mail
@@ -23,6 +24,8 @@
 pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
 procname=${sendmail_procname:-/usr/sbin/${name}}
 
+CERTDIR=/etc/mail/certs
+
 case ${sendmail_enable} in
 [Nn][Oo][Nn][Ee])
 	sendmail_enable="NO"
@@ -43,6 +46,118 @@
 	sendmail_outbound_enable="NO"
 fi
 
+sendmail_cert_create()
+{
+	cnname="${sendmail_cert_cn:-`hostname`}"
+	cnname="${cnname:-amnesiac}"
+
+	# based upon:
+	# http://www.sendmail.org/~ca/email/other/cagreg.html
+	CAdir=`mktemp -d` &&
+	certpass=`(date; ps ax ; hostname) | md5 -q`
+
+	# make certificate authority
+	( cd "$CAdir" &&
+	chmod 700 "$CAdir" &&
+	mkdir certs crl newcerts &&
+	echo "01" > serial &&
+	:> index.txt &&
+
+	cat <<-OPENSSL_CNF > openssl.cnf &&
+		RANDFILE	= $CAdir/.rnd
+		[ ca ]
+		default_ca	= CA_default
+		[ CA_default ]
+		dir		= .
+		certs		= \$dir/certs		# Where the issued certs are kept
+		crl_dir		= \$dir/crl		# Where the issued crl are kept
+		database	= \$dir/index.txt	# database index file.
+		new_certs_dir	= \$dir/newcerts	# default place for new certs.
+		certificate	= \$dir/cacert.pem 	# The CA certificate
+		serial		= \$dir/serial 		# The current serial number
+		crlnumber	= \$dir/crlnumber	# the current crl number
+		crl		= \$dir/crl.pem 	# The current CRL
+		private_key	= \$dir/cakey.pem
+		x509_extensions	= usr_cert		# The extentions to add to the cert
+		name_opt 	= ca_default		# Subject Name options
+		cert_opt 	= ca_default		# Certificate field options
+		default_days	= 365			# how long to certify for
+		default_crl_days= 30			# how long before next CRL
+		default_md	= default		# use public key default MD
+		preserve	= no			# keep passed DN ordering
+		policy		= policy_anything
+		[ policy_anything ]
+		countryName		= optional
+		stateOrProvinceName	= optional
+		localityName		= optional
+		organizationName	= optional
+		organizationalUnitName	= optional
+		commonName		= supplied
+		emailAddress		= optional
+		[ req ]
+		default_bits		= 2048
+		default_keyfile 	= privkey.pem
+		distinguished_name	= req_distinguished_name
+		attributes		= req_attributes
+		x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+		string_mask = utf8only
+		prompt = no
+		[ req_distinguished_name ]
+		countryName			= XX
+		stateOrProvinceName		= Some-state
+		localityName			= Some-city
+		0.organizationName		= Some-org
+		CN				= $cnname
+		[ req_attributes ]
+		challengePassword		= foobar
+		unstructuredName		= An optional company name
+		[ usr_cert ]
+		basicConstraints=CA:FALSE
+		nsComment			= "OpenSSL Generated Certificate"
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid,issuer
+		[ v3_req ]
+		basicConstraints = CA:FALSE
+		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+		[ v3_ca ]
+		subjectKeyIdentifier=hash
+		authorityKeyIdentifier=keyid:always,issuer
+		basicConstraints = CA:true
+	OPENSSL_CNF
+
+	# though we use a password, the key is discarded and never used
+	openssl req -batch -passout pass:"$certpass" -new -x509 \
+	    -keyout cakey.pem -out cacert.pem -days 3650 \
+	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# make new certificate
+	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
+	    -out newreq.pem -days 365 -config openssl.cnf \
+	    -newkey rsa:2048 >/dev/null 2>&1 &&
+
+	# sign certificate
+	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
+	    -out tmp.pem >/dev/null 2>&1 &&
+	openssl ca -notext -config openssl.cnf \
+	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
+	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
+
+	mkdir -p "$CERTDIR" &&
+	chmod 0755 "$CERTDIR" &&
+	chmod 644 newcert.pem cacert.pem &&
+	chmod 600 newkey.pem &&
+	cp -p newcert.pem "$CERTDIR"/host.cert &&
+	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
+	cp -p newkey.pem "$CERTDIR"/host.key &&
+	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
+	    -in cacert.pem`.0)
+
+	retVal="$?"
+	rm -rf "$CAdir"
+
+	return "$retVal"
+}
+
 sendmail_precmd()
 {
 	# Die if there's pre-8.10 custom configuration file.  This check is
@@ -70,6 +185,17 @@
 				/usr/bin/newaliases
 		fi
 	fi
+
+	if checkyesno sendmail_cert_create && [ ! \( \
+	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
+	    -f "$CERTDIR/cacert.pem" \) ]; then
+		if ! openssl version >/dev/null 2>&1; then
+			warn "OpenSSL not available, but sendmail_cert_create is YES."
+		else
+			info Creating certificate for sendmail.
+			sendmail_cert_create
+		fi
+	fi
 }
 
 run_rc_command "$1"
@@ -79,7 +205,6 @@
 if checkyesno sendmail_submit_enable; then
 	name="sendmail_submit"
 	rcvar="sendmail_submit_enable"
-	start_cmd="${command} ${sendmail_submit_flags}"
 	run_rc_command "$1"
 fi
 
@@ -86,13 +211,11 @@
 if checkyesno sendmail_outbound_enable; then
 	name="sendmail_outbound"
 	rcvar="sendmail_outbound_enable"
-	start_cmd="${command} ${sendmail_outbound_flags}"
 	run_rc_command "$1"
 fi
 
-name="sendmail_clientmqueue"
+name="sendmail_msp_queue"
 rcvar="sendmail_msp_queue_enable"
-start_cmd="${command} ${sendmail_msp_queue_flags}"
-pidfile="${sendmail_mspq_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
+pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
 required_files="/etc/mail/submit.cf"
 run_rc_command "$1"

Modified: trunk/etc/sendmail/freebsd.mc
===================================================================
--- trunk/etc/sendmail/freebsd.mc	2015-06-19 00:16:01 UTC (rev 7041)
+++ trunk/etc/sendmail/freebsd.mc	2015-06-19 00:57:24 UTC (rev 7042)
@@ -34,7 +34,7 @@
 #
 
 #
-#  This is a generic configuration file for FreeBSD 5.X and later systems.
+#  This is a generic configuration file for FreeBSD 6.X and later systems.
 #  If you want to customize it, copy it to a name appropriate for your
 #  environment and do the modifications there.
 #
@@ -41,10 +41,15 @@
 #  The best documentation for this .mc file is:
 #  /usr/share/sendmail/cf/README or
 #  /usr/src/contrib/sendmail/cf/README
+# 
 #
+#  NOTE: If you enable RunAsUser, make sure that you adjust the permissions
+#  and owner of the SSL certificates and keys in /etc/mail/certs to be usable
+#  by that user.
+#
 
 divert(0)
-VERSIONID(`$MidnightBSD: src/etc/sendmail/freebsd.mc,v 1.3 2007/11/23 22:11:51 laffer1 Exp $')
+VERSIONID(`$MidnightBSD$')
 OSTYPE(freebsd6)
 DOMAIN(generic)
 
@@ -54,6 +59,16 @@
 FEATURE(mailertable, `hash -o /etc/mail/mailertable')
 FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
 
+dnl Enable STARTTLS for receiving email.
+define(`CERT_DIR', `/etc/mail/certs')dnl
+define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
+define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
+define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
+define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
+define(`confCACERT', `CERT_DIR/cacert.pem')dnl
+define(`confCACERT_PATH', `CERT_DIR')dnl
+define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
+
 dnl Uncomment to allow relaying based on your MX records.
 dnl NOTE: This can allow sites to use your server as a backup MX without
 dnl       your permission.
@@ -63,15 +78,13 @@
 dnl --------------------------------
 dnl DNS based black hole lists come and go on a regular basis
 dnl so this file will not serve as a database of the available servers.
-dnl For that, visit
-dnl http://www.google.com/Top/Computers/Internet/E-mail/Spam/Blacklists/
+dnl For more information, visit
+dnl http://en.wikipedia.org/wiki/DNSBL
 
-dnl Uncomment to activate Realtime Blackhole List
-dnl information available at http://www.mail-abuse.com/
-dnl NOTE: This is a subscription service as of July 31, 2001
-dnl FEATURE(dnsbl)
+dnl Uncomment to activate your chosen DNS based blacklist
+dnl FEATURE(dnsbl, `dnsbl.example.com')
 dnl Alternatively, you can provide your own server and rejection message:
-dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', ``"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}'')
+dnl FEATURE(dnsbl, `dnsbl.example.com', ``"550 Mail from " $&{client_addr} " rejected"'')
 
 dnl Dialup users should uncomment and define this appropriately
 dnl define(`SMART_HOST', `your.isp.mail.server')

Modified: trunk/share/man/man8/rc.sendmail.8
===================================================================
--- trunk/share/man/man8/rc.sendmail.8	2015-06-19 00:16:01 UTC (rev 7041)
+++ trunk/share/man/man8/rc.sendmail.8	2015-06-19 00:57:24 UTC (rev 7042)
@@ -24,9 +24,10 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
+.\" $FreeBSD: stable/10/share/man/man8/rc.sendmail.8 256982 2013-10-23 16:55:20Z jmg $
 .\" $MidnightBSD$
 .\"
-.Dd March 30, 2002
+.Dd October 19, 2013
 .Dt RC.SENDMAIL 8
 .Os
 .Sh NAME
@@ -119,6 +120,42 @@
 .Dq Li NONE
 option is deprecated and should not be used.
 It will be removed in a future release.
+.It Va sendmail_cert_create
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES ,
+create a signed certificate
+.Pa /etc/mail/certs/host.cert
+representing
+.Pa /etc/mail/certs/host.key
+by the CA certificate in
+.Pa /etc/mail/certs/cacert.pem .
+This will enable connecting hosts to negotiate STARTTLS allowing incoming
+email to be encrypted in transit.
+.Xr sendmail 8
+needs to be configured to use these generated files.
+The default configuration in
+.Pa /etc/mail/freebsd.mc
+has the required options in it.
+.It Va sendmail_cert_cn
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES
+and
+.Va sendmail_cert_create
+is set to
+.Dq Li YES ,
+this is the Common Name (CN) of the certificate that will be created.
+If
+.Va sendmail_cert_cn
+is not set, the system's hostname will be used.
+If there is no hostname set,
+.Dq Li amnesiac
+will be used.
 .It Va sendmail_flags
 .Pq Vt str
 If

More information about the Midnightbsd-cvs mailing list