xref: /freebsd/libexec/rc/rc.d/sendmail (revision 95ee2897e98f5d444f26ed2334cc7c439f9c16c6)
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6# PROVIDE: mail
7# REQUIRE: LOGIN FILESYSTEMS
8#	we make mail start late, so that things like .forward's are not
9#	processed until the system is fully operational
10# KEYWORD: shutdown
11
12# XXX - Get together with sendmail mantainer to figure out how to
13#	better handle SENDMAIL_ENABLE and 3rd party MTAs.
14#
15. /etc/rc.subr
16
17name="sendmail"
18desc="Electronic mail transport agent"
19rcvar="sendmail_enable"
20required_files="/etc/mail/${name}.cf"
21start_precmd="sendmail_precmd"
22
23load_rc_config $name
24command=${sendmail_program:-/usr/sbin/${name}}
25pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
26procname=${sendmail_procname:-/usr/sbin/${name}}
27
28CERTDIR=/etc/mail/certs
29
30case ${sendmail_enable} in
31[Nn][Oo][Nn][Ee])
32	sendmail_enable="NO"
33	sendmail_submit_enable="NO"
34	sendmail_outbound_enable="NO"
35	sendmail_msp_queue_enable="NO"
36	;;
37esac
38
39# If sendmail_enable=yes, don't need submit or outbound daemon
40if checkyesno sendmail_enable; then
41	sendmail_submit_enable="NO"
42	sendmail_outbound_enable="NO"
43fi
44
45# If sendmail_submit_enable=yes, don't need outbound daemon
46if checkyesno sendmail_submit_enable; then
47	sendmail_outbound_enable="NO"
48fi
49
50sendmail_cert_create()
51{
52	cnname="${sendmail_cert_cn:-`hostname`}"
53	cnname="${cnname:-amnesiac}"
54
55	# based upon:
56	# http://www.sendmail.org/~ca/email/other/cagreg.html
57	CAdir=`mktemp -d` &&
58	certpass=`(date; ps ax ; hostname) | md5 -q`
59
60	# make certificate authority
61	( cd "$CAdir" &&
62	chmod 700 "$CAdir" &&
63	mkdir certs crl newcerts &&
64	echo "01" > serial &&
65	:> index.txt &&
66
67	cat <<-OPENSSL_CNF > openssl.cnf &&
68		RANDFILE	= $CAdir/.rnd
69		[ ca ]
70		default_ca	= CA_default
71		[ CA_default ]
72		dir		= .
73		certs		= \$dir/certs		# Where the issued certs are kept
74		crl_dir		= \$dir/crl		# Where the issued crl are kept
75		database	= \$dir/index.txt	# database index file.
76		new_certs_dir	= \$dir/newcerts	# default place for new certs.
77		certificate	= \$dir/cacert.pem 	# The CA certificate
78		serial		= \$dir/serial 		# The current serial number
79		crlnumber	= \$dir/crlnumber	# the current crl number
80		crl		= \$dir/crl.pem 	# The current CRL
81		private_key	= \$dir/cakey.pem
82		x509_extensions	= usr_cert		# The extensions to add to the cert
83		name_opt 	= ca_default		# Subject Name options
84		cert_opt 	= ca_default		# Certificate field options
85		default_days	= 365			# how long to certify for
86		default_crl_days= 30			# how long before next CRL
87		default_md	= default		# use public key default MD
88		preserve	= no			# keep passed DN ordering
89		policy		= policy_anything
90		[ policy_anything ]
91		countryName		= optional
92		stateOrProvinceName	= optional
93		localityName		= optional
94		organizationName	= optional
95		organizationalUnitName	= optional
96		commonName		= supplied
97		emailAddress		= optional
98		[ req ]
99		default_bits		= 2048
100		default_keyfile 	= privkey.pem
101		distinguished_name	= req_distinguished_name
102		attributes		= req_attributes
103		x509_extensions	= v3_ca	# The extensions to add to the self signed cert
104		string_mask = utf8only
105		prompt = no
106		[ req_distinguished_name ]
107		countryName			= XX
108		stateOrProvinceName		= Some-state
109		localityName			= Some-city
110		0.organizationName		= Some-org
111		CN				= $cnname
112		[ req_attributes ]
113		challengePassword		= foobar
114		unstructuredName		= An optional company name
115		[ usr_cert ]
116		basicConstraints=CA:FALSE
117		nsComment			= "OpenSSL Generated Certificate"
118		subjectKeyIdentifier=hash
119		authorityKeyIdentifier=keyid,issuer
120		[ v3_req ]
121		basicConstraints = CA:FALSE
122		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
123		[ v3_ca ]
124		subjectKeyIdentifier=hash
125		authorityKeyIdentifier=keyid:always,issuer
126		basicConstraints = CA:true
127	OPENSSL_CNF
128
129	# though we use a password, the key is discarded and never used
130	openssl req -batch -passout pass:"$certpass" -new -x509 \
131	    -keyout cakey.pem -out cacert.pem -days 3650 \
132	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
133
134	# make new certificate
135	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
136	    -out newreq.pem -days 365 -config openssl.cnf \
137	    -newkey rsa:2048 >/dev/null 2>&1 &&
138
139	# sign certificate
140	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
141	    -out tmp.pem >/dev/null 2>&1 &&
142	openssl ca -notext -config openssl.cnf \
143	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
144	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
145
146	mkdir -p "$CERTDIR" &&
147	chmod 0755 "$CERTDIR" &&
148	chmod 644 newcert.pem cacert.pem &&
149	chmod 600 newkey.pem &&
150	cp -p newcert.pem "$CERTDIR"/host.cert &&
151	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
152	cp -p newkey.pem "$CERTDIR"/host.key &&
153	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
154	    -in cacert.pem`.0)
155
156	retVal="$?"
157	rm -rf "$CAdir"
158
159	return "$retVal"
160}
161
162sendmail_precmd()
163{
164	# Die if there's pre-8.10 custom configuration file.  This check is
165	# mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
166	#
167	if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
168		if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
169			warn \
170    "${name} was not started; you have multiple copies of sendmail.cf."
171			return 1
172		fi
173	fi
174
175	# check modifications on /etc/mail/aliases
176	if checkyesno sendmail_rebuild_aliases; then
177		if [ -f "/etc/mail/aliases.db" ]; then
178			if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
179				echo \
180	    	"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
181				/usr/bin/newaliases
182			fi
183		else
184			echo \
185	    	"${name}: /etc/mail/aliases.db not present, generating"
186				/usr/bin/newaliases
187		fi
188	fi
189
190	if checkyesno sendmail_cert_create && [ ! \( \
191	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
192	    -f "$CERTDIR/cacert.pem" \) ]; then
193		if ! openssl version >/dev/null 2>&1; then
194			warn "OpenSSL not available, but sendmail_cert_create is YES."
195		else
196			info Creating certificate for sendmail.
197			sendmail_cert_create
198		fi
199	fi
200
201	if [ ! -f /var/log/sendmail.st ]; then
202		/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
203	fi
204}
205
206run_rc_command "$1"
207
208required_files=
209
210if checkyesno sendmail_submit_enable; then
211	name="sendmail_submit"
212	rcvar="sendmail_submit_enable"
213	_rc_restart_done=false
214	run_rc_command "$1"
215fi
216
217if checkyesno sendmail_outbound_enable; then
218	name="sendmail_outbound"
219	rcvar="sendmail_outbound_enable"
220	_rc_restart_done=false
221	run_rc_command "$1"
222fi
223
224name="sendmail_msp_queue"
225rcvar="sendmail_msp_queue_enable"
226pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
227required_files="/etc/mail/submit.cf"
228_rc_restart_done=false
229run_rc_command "$1"
230