xref: /freebsd/libexec/rc/rc.d/sendmail (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1#!/bin/sh
2#
3#
4
5# PROVIDE: mail
6# REQUIRE: LOGIN FILESYSTEMS
7#	we make mail start late, so that things like .forward's are not
8#	processed until the system is fully operational
9# KEYWORD: shutdown
10
11# XXX - Get together with sendmail mantainer to figure out how to
12#	better handle SENDMAIL_ENABLE and 3rd party MTAs.
13#
14. /etc/rc.subr
15
16name="sendmail"
17desc="Electronic mail transport agent"
18rcvar="sendmail_enable"
19required_files="/etc/mail/${name}.cf"
20start_precmd="sendmail_precmd"
21
22load_rc_config $name
23command=${sendmail_program:-/usr/sbin/${name}}
24pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
25procname=${sendmail_procname:-/usr/sbin/${name}}
26
27CERTDIR=/etc/mail/certs
28
29case ${sendmail_enable} in
30[Nn][Oo][Nn][Ee])
31	sendmail_enable="NO"
32	sendmail_submit_enable="NO"
33	sendmail_outbound_enable="NO"
34	sendmail_msp_queue_enable="NO"
35	;;
36esac
37
38# If sendmail_enable=yes, don't need submit or outbound daemon
39if checkyesno sendmail_enable; then
40	sendmail_submit_enable="NO"
41	sendmail_outbound_enable="NO"
42fi
43
44# If sendmail_submit_enable=yes, don't need outbound daemon
45if checkyesno sendmail_submit_enable; then
46	sendmail_outbound_enable="NO"
47fi
48
49sendmail_cert_create()
50{
51	cnname="${sendmail_cert_cn:-`hostname`}"
52	cnname="${cnname:-amnesiac}"
53
54	# based upon:
55	# http://www.sendmail.org/~ca/email/other/cagreg.html
56	CAdir=`mktemp -d` &&
57	certpass=`(date; ps ax ; hostname) | md5 -q`
58
59	# make certificate authority
60	( cd "$CAdir" &&
61	chmod 700 "$CAdir" &&
62	mkdir certs crl newcerts &&
63	echo "01" > serial &&
64	:> index.txt &&
65
66	cat <<-OPENSSL_CNF > openssl.cnf &&
67		RANDFILE	= $CAdir/.rnd
68		[ ca ]
69		default_ca	= CA_default
70		[ CA_default ]
71		dir		= .
72		certs		= \$dir/certs		# Where the issued certs are kept
73		crl_dir		= \$dir/crl		# Where the issued crl are kept
74		database	= \$dir/index.txt	# database index file.
75		new_certs_dir	= \$dir/newcerts	# default place for new certs.
76		certificate	= \$dir/cacert.pem 	# The CA certificate
77		serial		= \$dir/serial 		# The current serial number
78		crlnumber	= \$dir/crlnumber	# the current crl number
79		crl		= \$dir/crl.pem 	# The current CRL
80		private_key	= \$dir/cakey.pem
81		x509_extensions	= usr_cert		# The extensions to add to the cert
82		name_opt 	= ca_default		# Subject Name options
83		cert_opt 	= ca_default		# Certificate field options
84		default_days	= 365			# how long to certify for
85		default_crl_days= 30			# how long before next CRL
86		default_md	= default		# use public key default MD
87		preserve	= no			# keep passed DN ordering
88		policy		= policy_anything
89		[ policy_anything ]
90		countryName		= optional
91		stateOrProvinceName	= optional
92		localityName		= optional
93		organizationName	= optional
94		organizationalUnitName	= optional
95		commonName		= supplied
96		emailAddress		= optional
97		[ req ]
98		default_bits		= 2048
99		default_keyfile 	= privkey.pem
100		distinguished_name	= req_distinguished_name
101		attributes		= req_attributes
102		x509_extensions	= v3_ca	# The extensions to add to the self signed cert
103		string_mask = utf8only
104		prompt = no
105		[ req_distinguished_name ]
106		countryName			= XX
107		stateOrProvinceName		= Some-state
108		localityName			= Some-city
109		0.organizationName		= Some-org
110		CN				= $cnname
111		[ req_attributes ]
112		challengePassword		= foobar
113		unstructuredName		= An optional company name
114		[ usr_cert ]
115		basicConstraints=CA:FALSE
116		nsComment			= "OpenSSL Generated Certificate"
117		subjectKeyIdentifier=hash
118		authorityKeyIdentifier=keyid,issuer
119		[ v3_req ]
120		basicConstraints = CA:FALSE
121		keyUsage = nonRepudiation, digitalSignature, keyEncipherment
122		[ v3_ca ]
123		subjectKeyIdentifier=hash
124		authorityKeyIdentifier=keyid:always,issuer
125		basicConstraints = CA:true
126	OPENSSL_CNF
127
128	# though we use a password, the key is discarded and never used
129	openssl req -batch -passout pass:"$certpass" -new -x509 \
130	    -keyout cakey.pem -out cacert.pem -days 3650 \
131	    -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
132
133	# make new certificate
134	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
135	    -out newreq.pem -days 365 -config openssl.cnf \
136	    -newkey rsa:2048 >/dev/null 2>&1 &&
137
138	# sign certificate
139	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
140	    -out tmp.pem >/dev/null 2>&1 &&
141	openssl ca -notext -config openssl.cnf \
142	    -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
143	    -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
144
145	mkdir -p "$CERTDIR" &&
146	chmod 0755 "$CERTDIR" &&
147	chmod 644 newcert.pem cacert.pem &&
148	chmod 600 newkey.pem &&
149	cp -p newcert.pem "$CERTDIR"/host.cert &&
150	cp -p cacert.pem "$CERTDIR"/cacert.pem &&
151	cp -p newkey.pem "$CERTDIR"/host.key &&
152	ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
153	    -in cacert.pem`.0)
154
155	retVal="$?"
156	rm -rf "$CAdir"
157
158	return "$retVal"
159}
160
161sendmail_precmd()
162{
163	# Die if there's pre-8.10 custom configuration file.  This check is
164	# mandatory for smooth upgrade.  See NetBSD PR 10100 for details.
165	#
166	if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
167		if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
168			warn \
169    "${name} was not started; you have multiple copies of sendmail.cf."
170			return 1
171		fi
172	fi
173
174	# check modifications on /etc/mail/aliases
175	if checkyesno sendmail_rebuild_aliases; then
176		if [ -f "/etc/mail/aliases.db" ]; then
177			if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
178				echo \
179	    	"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
180				/usr/bin/newaliases
181			fi
182		else
183			echo \
184	    	"${name}: /etc/mail/aliases.db not present, generating"
185				/usr/bin/newaliases
186		fi
187	fi
188
189	if checkyesno sendmail_cert_create && [ ! \( \
190	    -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
191	    -f "$CERTDIR/cacert.pem" \) ]; then
192		if ! openssl version >/dev/null 2>&1; then
193			warn "OpenSSL not available, but sendmail_cert_create is YES."
194		else
195			info Creating certificate for sendmail.
196			sendmail_cert_create
197		fi
198	fi
199
200	if [ ! -f /var/log/sendmail.st ]; then
201		/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
202	fi
203}
204
205run_rc_command "$1"
206
207required_files=
208
209if checkyesno sendmail_submit_enable; then
210	name="sendmail_submit"
211	rcvar="sendmail_submit_enable"
212	_rc_restart_done=false
213	run_rc_command "$1"
214fi
215
216if checkyesno sendmail_outbound_enable; then
217	name="sendmail_outbound"
218	rcvar="sendmail_outbound_enable"
219	_rc_restart_done=false
220	run_rc_command "$1"
221fi
222
223name="sendmail_msp_queue"
224rcvar="sendmail_msp_queue_enable"
225pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
226required_files="/etc/mail/submit.cf"
227_rc_restart_done=false
228run_rc_command "$1"
229