svn commit: r256982 - in stable/10: etc/defaults etc/rc.d etc/sendmail share/man/man8
John-Mark Gurney
jmg at FreeBSD.org
Wed Oct 23 16:55:21 UTC 2013
Author: jmg
Date: Wed Oct 23 16:55:20 2013
New Revision: 256982
URL: http://svnweb.freebsd.org/changeset/base/256982
Log:
MFC r256773:
Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled.
Reviewed by: gshapiro
Approved by: re (gjb)
Modified:
stable/10/etc/defaults/rc.conf
stable/10/etc/rc.d/sendmail
stable/10/etc/sendmail/freebsd.mc
stable/10/share/man/man8/rc.sendmail.8
Directory Properties:
stable/10/etc/ (props changed)
stable/10/etc/rc.d/ (props changed)
stable/10/share/man/man8/ (props changed)
Modified: stable/10/etc/defaults/rc.conf
==============================================================================
--- stable/10/etc/defaults/rc.conf Wed Oct 23 16:14:48 2013 (r256981)
+++ stable/10/etc/defaults/rc.conf Wed Oct 23 16:55:20 2013 (r256982)
@@ -573,6 +573,8 @@ sendmail_enable="NO" # Run the sendmail
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
+sendmail_cert_create="YES" # Create a server certificate if none (YES/NO)
+#sendmail_cert_cn="CN" # CN of the generate certificate
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
# Flags for localhost-only MTA
Modified: stable/10/etc/rc.d/sendmail
==============================================================================
--- stable/10/etc/rc.d/sendmail Wed Oct 23 16:14:48 2013 (r256981)
+++ stable/10/etc/rc.d/sendmail Wed Oct 23 16:55:20 2013 (r256982)
@@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
procname=${sendmail_procname:-/usr/sbin/${name}}
+CERTDIR=/etc/mail/certs
+
case ${sendmail_enable} in
[Nn][Oo][Nn][Ee])
sendmail_enable="NO"
@@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; th
sendmail_outbound_enable="NO"
fi
+sendmail_cert_create()
+{
+ cnname="${sendmail_cert_cn:-`hostname`}"
+ cnname="${cnname:-amnesiac}"
+
+ # based upon:
+ # http://www.sendmail.org/~ca/email/other/cagreg.html
+ CAdir=`mktemp -d` &&
+ certpass=`(date; ps ax ; hostname) | md5 -q`
+
+ # make certificate authority
+ ( cd "$CAdir" &&
+ chmod 700 "$CAdir" &&
+ mkdir certs crl newcerts &&
+ echo "01" > serial &&
+ :> index.txt &&
+
+ cat <<-OPENSSL_CNF > openssl.cnf &&
+ RANDFILE = $CAdir/.rnd
+ [ ca ]
+ default_ca = CA_default
+ [ CA_default ]
+ dir = .
+ certs = \$dir/certs # Where the issued certs are kept
+ crl_dir = \$dir/crl # Where the issued crl are kept
+ database = \$dir/index.txt # database index file.
+ new_certs_dir = \$dir/newcerts # default place for new certs.
+ certificate = \$dir/cacert.pem # The CA certificate
+ serial = \$dir/serial # The current serial number
+ crlnumber = \$dir/crlnumber # the current crl number
+ crl = \$dir/crl.pem # The current CRL
+ private_key = \$dir/cakey.pem
+ x509_extensions = usr_cert # The extentions to add to the cert
+ name_opt = ca_default # Subject Name options
+ cert_opt = ca_default # Certificate field options
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+ default_md = default # use public key default MD
+ preserve = no # keep passed DN ordering
+ policy = policy_anything
+ [ policy_anything ]
+ countryName = optional
+ stateOrProvinceName = optional
+ localityName = optional
+ organizationName = optional
+ organizationalUnitName = optional
+ commonName = supplied
+ emailAddress = optional
+ [ req ]
+ default_bits = 2048
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+ x509_extensions = v3_ca # The extentions to add to the self signed cert
+ string_mask = utf8only
+ prompt = no
+ [ req_distinguished_name ]
+ countryName = XX
+ stateOrProvinceName = Some-state
+ localityName = Some-city
+ 0.organizationName = Some-org
+ CN = $cnname
+ [ req_attributes ]
+ challengePassword = foobar
+ unstructuredName = An optional company name
+ [ usr_cert ]
+ basicConstraints=CA:FALSE
+ nsComment = "OpenSSL Generated Certificate"
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid,issuer
+ [ v3_req ]
+ basicConstraints = CA:FALSE
+ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+ [ v3_ca ]
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer
+ basicConstraints = CA:true
+ OPENSSL_CNF
+
+ # though we use a password, the key is discarded and never used
+ openssl req -batch -passout pass:"$certpass" -new -x509 \
+ -keyout cakey.pem -out cacert.pem -days 3650 \
+ -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
+
+ # make new certificate
+ openssl req -batch -nodes -new -x509 -keyout newkey.pem \
+ -out newreq.pem -days 365 -config openssl.cnf \
+ -newkey rsa:2048 >/dev/null 2>&1 &&
+
+ # sign certificate
+ openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
+ -out tmp.pem >/dev/null 2>&1 &&
+ openssl ca -notext -config openssl.cnf \
+ -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
+ -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
+
+ mkdir -p "$CERTDIR" &&
+ chmod 0755 "$CERTDIR" &&
+ chmod 644 newcert.pem cacert.pem &&
+ chmod 600 newkey.pem &&
+ cp -p newcert.pem "$CERTDIR"/host.cert &&
+ cp -p cacert.pem "$CERTDIR"/cacert.pem &&
+ cp -p newkey.pem "$CERTDIR"/host.key &&
+ ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
+ -in cacert.pem`.0)
+
+ retVal="$?"
+ rm -rf "$CAdir"
+
+ return "$retVal"
+}
+
sendmail_precmd()
{
# Die if there's pre-8.10 custom configuration file. This check is
@@ -71,6 +185,17 @@ sendmail_precmd()
/usr/bin/newaliases
fi
fi
+
+ if checkyesno sendmail_cert_create && [ ! \( \
+ -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
+ -f "$CERTDIR/cacert.pem" \) ]; then
+ if ! openssl version >/dev/null 2>&1; then
+ warn "OpenSSL not available, but sendmail_cert_create is YES."
+ else
+ info Creating certificate for sendmail.
+ sendmail_cert_create
+ fi
+ fi
}
run_rc_command "$1"
Modified: stable/10/etc/sendmail/freebsd.mc
==============================================================================
--- stable/10/etc/sendmail/freebsd.mc Wed Oct 23 16:14:48 2013 (r256981)
+++ stable/10/etc/sendmail/freebsd.mc Wed Oct 23 16:55:20 2013 (r256982)
@@ -42,6 +42,11 @@ divert(-1)
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
+#
+# NOTE: If you enable RunAsUser, make sure that you adjust the permissions
+# and owner of the SSL certificates and keys in /etc/mail/certs to be usable
+# by that user.
+#
divert(0)
VERSIONID(`$FreeBSD$')
@@ -54,6 +59,16 @@ FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
+dnl Enable STARTTLS for receiving email.
+define(`CERT_DIR', `/etc/mail/certs')dnl
+define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
+define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
+define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
+define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
+define(`confCACERT', `CERT_DIR/cacert.pem')dnl
+define(`confCACERT_PATH', `CERT_DIR')dnl
+define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
+
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
Modified: stable/10/share/man/man8/rc.sendmail.8
==============================================================================
--- stable/10/share/man/man8/rc.sendmail.8 Wed Oct 23 16:14:48 2013 (r256981)
+++ stable/10/share/man/man8/rc.sendmail.8 Wed Oct 23 16:55:20 2013 (r256982)
@@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 30, 2002
+.Dd October 19, 2013
.Dt RC.SENDMAIL 8
.Os
.Sh NAME
@@ -119,6 +119,42 @@ The
.Dq Li NONE
option is deprecated and should not be used.
It will be removed in a future release.
+.It Va sendmail_cert_create
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES ,
+create a signed certificate
+.Pa /etc/mail/certs/host.cert
+representing
+.Pa /etc/mail/certs/host.key
+by the CA certificate in
+.Pa /etc/mail/certs/cacert.pem .
+This will enable connecting hosts to negotiate STARTTLS allowing incoming
+email to be encrypted in transit.
+.Xr sendmail 8
+needs to be configured to use these generated files.
+The default configuration in
+.Pa /etc/mail/freebsd.mc
+has the required options in it.
+.It Va sendmail_cert_cn
+.Pq Vt str
+If
+.Va sendmail_enable
+is set to
+.Dq Li YES
+and
+.Va sendmail_cert_create
+is set to
+.Dq Li YES ,
+this is the Common Name (CN) of the certificate that will be created.
+If
+.Va sendmail_cert_cn
+is not set, the system's hostname will be used.
+If there is no hostname set,
+.Dq Li amnesiac
+will be used.
.It Va sendmail_flags
.Pq Vt str
If
More information about the svn-src-stable-10
mailing list