xref: /freebsd/libexec/rc/rc.d/sendmail (revision 3ceba58a7509418b47b8fca2d2b6bbf088714e26) 
1#!/bin/sh
2#
3#
4
5# PROVIDE: mail
6# REQUIRE: LOGIN FILESYSTEMS
7# KEYWORD: shutdown
8#
9# We make mail start late, so that things like .forward's are not processed
10# until the system is fully operational.
11
12# XXX - Get together with sendmail mantainer to figure out how to
13#	better handle SENDMAIL_ENABLE and 3rd party MTAs.
14#
15. /etc/rc.subr
16
17name="sendmail"
18desc="Electronic mail transport agent"
19rcvar="sendmail_enable"
20required_files="/etc/mail/${name}.cf"
21start_precmd="sendmail_precmd"
22
23: ${sendmail_svcj_options:="net_basic"}
24
25load_rc_config $name
26command=${sendmail_program:-/usr/sbin/${name}}
27pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
28procname=${sendmail_procname:-/usr/sbin/${name}}
29
30CERTDIR=/etc/mail/certs
31
32case ${sendmail_enable} in
33[Nn][Oo][Nn][Ee])
34	sendmail_enable="NO"
35	sendmail_submit_enable="NO"
36	sendmail_outbound_enable="NO"
37	sendmail_msp_queue_enable="NO"
38	;;
39esac
40
41# If sendmail_enable=yes, don't need submit or outbound daemon
42if checkyesno sendmail_enable; then
43	sendmail_submit_enable="NO"
44	sendmail_outbound_enable="NO"
45fi
46
47# If sendmail_submit_enable=yes, don't need outbound daemon
48if checkyesno sendmail_submit_enable; then
49	sendmail_outbound_enable="NO"
50fi
51
52sendmail_cert_create()
53{
54	cnname="${sendmail_cert_cn:-`hostname`}"
55	cnname="${cnname:-amnesiac}"
56
57	# based upon:
58	# http://www.sendmail.org/~ca/email/other/cagreg.html
59	CAdir=`mktemp -d` &&
60	certpass=`(date; ps ax ; hostname) | md5 -q`
61
62	# make certificate authority
63	( cd "$CAdir" &&
64	chmod 700 "$CAdir" &&
65	mkdir certs crl newcerts &&
66	echo "01" > serial &&
67	:> index.txt &&
68
69	cat <<-OPENSSL_CNF > openssl.cnf &&
70		RANDFILE	= $CAdir/.rnd
71		[ ca ]
72		default_ca	= CA_default
73		[ CA_default ]
74		dir		= .
75		certs		= \$dir/certs		# Where the issued certs are kept
76		crl_dir		= \$dir/crl		# Where the issued crl are kept
77		database	= \$dir/index.txt	# database index file.
78		new_certs_dir	= \$dir/newcerts	# default place for new certs.
79		certificate	= \$dir/cacert.pem 	# The CA certificate
80		serial		= \$dir/serial 		# The current serial number
81		crlnumber	= \$dir/crlnumber	# the current crl number
82		crl		= \$dir/crl.pem 	# The current CRL
83		private_key	= \$dir/cakey.pem
84		x509_extensions	= usr_cert		# The extensions to add to the cert
85		name_opt 	= ca_default		# Subject Name options
86		cert_opt 	= ca_default		# Certificate field options
87		default_days	= 365			# how long to certify for
88		default_crl_days= 30			# how long before next CRL
89		default_md	= default		# use public key default MD
90		preserve	= no			# keep passed DN ordering
91		policy		= policy_anything
92		[ policy_anything ]
93		countryName		= optional
94		stateOrProvinceName	= optional
95		localityName		= optional
96		organizationName	= optional
97		organizationalUnitName	= optional
98		commonName		= supplied
99		emailAddress		= optional
100		[ req ]
101		default_bits		= 2048
102		default_keyfile 	= privkey.pem
103		distinguished_name	= req_distinguished_name
104		attributes		= req_attributes
105		x509_extensions	= v3_ca	# The extensions to add to the self signed cert
106		string_mask = utf8only
107		prompt = no
108		[ req_distinguished_name ]
109		countryName			= XX
110		stateOrProvinceName		= Some-state
111		localityName			= Some-city
112		0.organizationName		= Some-org
113		CN				= $cnname
114		[ req_attributes ]
115		challengePassword		= foobar
116		unstructuredName		= An optional company name
117		[ usr_cert ]
118		basicConstraints=CA:FALSE
119		nsComment			= "OpenSSL Generated Certificate"
120		subjectKeyIdentifier=hash
121		authorityKeyIdentifier=keyid,issuer
122		[ v3_req ]
123		basicConstraints = CA:FALSE
124		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
125		[ v3_ca ]
126		subjectKeyIdentifier=hash
127		authorityKeyIdentifier=keyid:always,issuer
128		basicConstraints = CA:true
129	OPENSSL_CNF
130
131	# though we use a password, the key is discarded and never used
132	openssl req -batch -passout pass:"$certpass" -new -x509 \
133	    -keyout cakey.pem -out cacert.pem -days 3650 \
134	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
135
136	# make new certificate
137	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
138	    -out newreq.pem -days 365 -config openssl.cnf \
139	    -newkey rsa:2048 >/dev/null 2>&1 &&
140
141	# sign certificate
142	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
143	    -out tmp.pem >/dev/null 2>&1 &&
144	openssl ca -notext -config openssl.cnf \
145	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
146	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
147
148	mkdir -p "$CERTDIR" &&
149	chmod 0755 "$CERTDIR" &&
150	chmod 644 newcert.pem cacert.pem &&
151	chmod 600 newkey.pem &&
152	cp -p newcert.pem "$CERTDIR"/host.cert &&
153	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
154	cp -p newkey.pem "$CERTDIR"/host.key &&
155	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
156	    -in cacert.pem`.0)
157
158	retVal="$?"
159	rm -rf "$CAdir"
160
161	return "$retVal"
162}
163
164sendmail_precmd()
165{
166	# Die if there's pre-8.10 custom configuration file.  This check is
167	# mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
168	#
169	if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
170		if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
171			warn \
172    "${name} was not started; you have multiple copies of sendmail.cf."
173			return 1
174		fi
175	fi
176
177	# check modifications on /etc/mail/aliases
178	if checkyesno sendmail_rebuild_aliases; then
179		if [ -f "/etc/mail/aliases.db" ]; then
180			if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
181				echo \
182	    	"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
183				/usr/bin/newaliases
184			fi
185		else
186			echo \
187	    	"${name}: /etc/mail/aliases.db not present, generating"
188				/usr/bin/newaliases
189		fi
190	fi
191
192	if checkyesno sendmail_cert_create && [ ! \( \
193	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
194	    -f "$CERTDIR/cacert.pem" \) ]; then
195		if ! openssl version >/dev/null 2>&1; then
196			warn "OpenSSL not available, but sendmail_cert_create is YES."
197		else
198			info Creating certificate for sendmail.
199			sendmail_cert_create
200		fi
201	fi
202
203	if [ ! -f /var/log/sendmail.st ]; then
204		/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
205	fi
206}
207
208run_rc_command "$1"
209_ret=$?
210
211required_files=
212
213if checkyesno sendmail_submit_enable; then
214	name="sendmail_submit"
215	rcvar="sendmail_submit_enable"
216	_rc_restart_done=false
217	run_rc_command "$1"
218	_ret=$(( _ret > $? ? _ret : $? ))
219fi
220
221if checkyesno sendmail_outbound_enable; then
222	name="sendmail_outbound"
223	rcvar="sendmail_outbound_enable"
224	_rc_restart_done=false
225	run_rc_command "$1"
226	_ret=$(( _ret > $? ? _ret : $? ))
227fi
228
229name="sendmail_msp_queue"
230rcvar="sendmail_msp_queue_enable"
231pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
232required_files="/etc/mail/submit.cf"
233_rc_restart_done=false
234run_rc_command "$1"
235_ret=$(( _ret > $? ? _ret : $? ))
236
237(exit "$_ret")
238