mirror of
https://github.com/opnsense/src.git
synced 2026-06-05 14:54:21 -04:00
f99f0ee14e
This gives more permissions to services (e.g. network access to services which require this) when they are started as an automatic service jail. The sshd patch is important for the sshd-related functionality as described in the man-page in the service jails part. The location of the added env vars is supposed to allow overriding them in rc.conf, and to hard-disable the use of svcj for some parts where it doesn't make sense or will not work. Only a subset of all of the services are fully tested (I'm running this since more than a year with various services started as service jails). The untested parts should be most of the time ok, in some edge-cases more permissions are needed inside the service jail. Differential Revision: https://reviews.freebsd.org/D40371
230 lines
6.4 KiB
Bash
Executable file
230 lines
6.4 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
#
|
|
|
|
# PROVIDE: mail
|
|
# REQUIRE: LOGIN FILESYSTEMS
|
|
# we make mail start late, so that things like .forward's are not
|
|
# processed until the system is fully operational
|
|
# KEYWORD: shutdown
|
|
|
|
# XXX - Get together with sendmail mantainer to figure out how to
|
|
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
|
|
#
|
|
. /etc/rc.subr
|
|
|
|
name="sendmail"
|
|
desc="Electronic mail transport agent"
|
|
rcvar="sendmail_enable"
|
|
required_files="/etc/mail/${name}.cf"
|
|
start_precmd="sendmail_precmd"
|
|
|
|
: ${sendmail_svcj_options:="net_basic"}
|
|
|
|
load_rc_config $name
|
|
command=${sendmail_program:-/usr/sbin/${name}}
|
|
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
|
|
procname=${sendmail_procname:-/usr/sbin/${name}}
|
|
|
|
CERTDIR=/etc/mail/certs
|
|
|
|
case ${sendmail_enable} in
|
|
[Nn][Oo][Nn][Ee])
|
|
sendmail_enable="NO"
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
sendmail_msp_queue_enable="NO"
|
|
;;
|
|
esac
|
|
|
|
# If sendmail_enable=yes, don't need submit or outbound daemon
|
|
if checkyesno sendmail_enable; then
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
# If sendmail_submit_enable=yes, don't need outbound daemon
|
|
if checkyesno sendmail_submit_enable; then
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
sendmail_cert_create()
|
|
{
|
|
cnname="${sendmail_cert_cn:-`hostname`}"
|
|
cnname="${cnname:-amnesiac}"
|
|
|
|
# based upon:
|
|
# http://www.sendmail.org/~ca/email/other/cagreg.html
|
|
CAdir=`mktemp -d` &&
|
|
certpass=`(date; ps ax ; hostname) | md5 -q`
|
|
|
|
# make certificate authority
|
|
( cd "$CAdir" &&
|
|
chmod 700 "$CAdir" &&
|
|
mkdir certs crl newcerts &&
|
|
echo "01" > serial &&
|
|
:> index.txt &&
|
|
|
|
cat <<-OPENSSL_CNF > openssl.cnf &&
|
|
RANDFILE = $CAdir/.rnd
|
|
[ ca ]
|
|
default_ca = CA_default
|
|
[ CA_default ]
|
|
dir = .
|
|
certs = \$dir/certs # Where the issued certs are kept
|
|
crl_dir = \$dir/crl # Where the issued crl are kept
|
|
database = \$dir/index.txt # database index file.
|
|
new_certs_dir = \$dir/newcerts # default place for new certs.
|
|
certificate = \$dir/cacert.pem # The CA certificate
|
|
serial = \$dir/serial # The current serial number
|
|
crlnumber = \$dir/crlnumber # the current crl number
|
|
crl = \$dir/crl.pem # The current CRL
|
|
private_key = \$dir/cakey.pem
|
|
x509_extensions = usr_cert # The extensions to add to the cert
|
|
name_opt = ca_default # Subject Name options
|
|
cert_opt = ca_default # Certificate field options
|
|
default_days = 365 # how long to certify for
|
|
default_crl_days= 30 # how long before next CRL
|
|
default_md = default # use public key default MD
|
|
preserve = no # keep passed DN ordering
|
|
policy = policy_anything
|
|
[ policy_anything ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = utf8only
|
|
prompt = no
|
|
[ req_distinguished_name ]
|
|
countryName = XX
|
|
stateOrProvinceName = Some-state
|
|
localityName = Some-city
|
|
0.organizationName = Some-org
|
|
CN = $cnname
|
|
[ req_attributes ]
|
|
challengePassword = foobar
|
|
unstructuredName = An optional company name
|
|
[ usr_cert ]
|
|
basicConstraints=CA:FALSE
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
[ v3_ca ]
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
basicConstraints = CA:true
|
|
OPENSSL_CNF
|
|
|
|
# though we use a password, the key is discarded and never used
|
|
openssl req -batch -passout pass:"$certpass" -new -x509 \
|
|
-keyout cakey.pem -out cacert.pem -days 3650 \
|
|
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# make new certificate
|
|
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
|
|
-out newreq.pem -days 365 -config openssl.cnf \
|
|
-newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# sign certificate
|
|
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
|
|
-out tmp.pem >/dev/null 2>&1 &&
|
|
openssl ca -notext -config openssl.cnf \
|
|
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
|
|
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
|
|
|
|
mkdir -p "$CERTDIR" &&
|
|
chmod 0755 "$CERTDIR" &&
|
|
chmod 644 newcert.pem cacert.pem &&
|
|
chmod 600 newkey.pem &&
|
|
cp -p newcert.pem "$CERTDIR"/host.cert &&
|
|
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
|
|
cp -p newkey.pem "$CERTDIR"/host.key &&
|
|
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
|
|
-in cacert.pem`.0)
|
|
|
|
retVal="$?"
|
|
rm -rf "$CAdir"
|
|
|
|
return "$retVal"
|
|
}
|
|
|
|
sendmail_precmd()
|
|
{
|
|
# Die if there's pre-8.10 custom configuration file. This check is
|
|
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
|
|
#
|
|
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
|
|
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
|
|
warn \
|
|
"${name} was not started; you have multiple copies of sendmail.cf."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
# check modifications on /etc/mail/aliases
|
|
if checkyesno sendmail_rebuild_aliases; then
|
|
if [ -f "/etc/mail/aliases.db" ]; then
|
|
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
|
|
echo \
|
|
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
else
|
|
echo \
|
|
"${name}: /etc/mail/aliases.db not present, generating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
fi
|
|
|
|
if checkyesno sendmail_cert_create && [ ! \( \
|
|
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
|
|
-f "$CERTDIR/cacert.pem" \) ]; then
|
|
if ! openssl version >/dev/null 2>&1; then
|
|
warn "OpenSSL not available, but sendmail_cert_create is YES."
|
|
else
|
|
info Creating certificate for sendmail.
|
|
sendmail_cert_create
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f /var/log/sendmail.st ]; then
|
|
/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
|
|
fi
|
|
}
|
|
|
|
run_rc_command "$1"
|
|
|
|
required_files=
|
|
|
|
if checkyesno sendmail_submit_enable; then
|
|
name="sendmail_submit"
|
|
rcvar="sendmail_submit_enable"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
if checkyesno sendmail_outbound_enable; then
|
|
name="sendmail_outbound"
|
|
rcvar="sendmail_outbound_enable"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
name="sendmail_msp_queue"
|
|
rcvar="sendmail_msp_queue_enable"
|
|
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
|
|
required_files="/etc/mail/submit.cf"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|