mirror of
https://github.com/opnsense/src.git
synced 2026-06-06 23:32:52 -04:00
8751fbe36f
The sendmail service script needs to be stopped during shutdown to ensure a clean shutdown of active SMTP connections (and writing any in memory queue files). rcorder(8) requires the rcorder block to be an uninterrupted sequence of REQUIRE, PROVIDE, BEFORE, and KEYWORD lines. Having a comment in between REQUIRE and KEYWORD makes rcorder stop parsing the block when it reaches the comment. Fix that by moving the comment out from the rcorder block. Reviewed by: bnovkov, christos, gshapiro, markj Approved by: bnovkov (mentor), christos (mentor), markj (mentor) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D46924
231 lines
6.4 KiB
Bash
Executable file
231 lines
6.4 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
#
|
|
|
|
# PROVIDE: mail
|
|
# REQUIRE: LOGIN FILESYSTEMS
|
|
# KEYWORD: shutdown
|
|
#
|
|
# We make mail start late, so that things like .forward's are not processed
|
|
# until the system is fully operational.
|
|
|
|
# XXX - Get together with sendmail mantainer to figure out how to
|
|
# better handle SENDMAIL_ENABLE and 3rd party MTAs.
|
|
#
|
|
. /etc/rc.subr
|
|
|
|
name="sendmail"
|
|
desc="Electronic mail transport agent"
|
|
rcvar="sendmail_enable"
|
|
required_files="/etc/mail/${name}.cf"
|
|
start_precmd="sendmail_precmd"
|
|
|
|
: ${sendmail_svcj_options:="net_basic"}
|
|
|
|
load_rc_config $name
|
|
command=${sendmail_program:-/usr/sbin/${name}}
|
|
pidfile=${sendmail_pidfile:-/var/run/${name}.pid}
|
|
procname=${sendmail_procname:-/usr/sbin/${name}}
|
|
|
|
CERTDIR=/etc/mail/certs
|
|
|
|
case ${sendmail_enable} in
|
|
[Nn][Oo][Nn][Ee])
|
|
sendmail_enable="NO"
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
sendmail_msp_queue_enable="NO"
|
|
;;
|
|
esac
|
|
|
|
# If sendmail_enable=yes, don't need submit or outbound daemon
|
|
if checkyesno sendmail_enable; then
|
|
sendmail_submit_enable="NO"
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
# If sendmail_submit_enable=yes, don't need outbound daemon
|
|
if checkyesno sendmail_submit_enable; then
|
|
sendmail_outbound_enable="NO"
|
|
fi
|
|
|
|
sendmail_cert_create()
|
|
{
|
|
cnname="${sendmail_cert_cn:-`hostname`}"
|
|
cnname="${cnname:-amnesiac}"
|
|
|
|
# based upon:
|
|
# http://www.sendmail.org/~ca/email/other/cagreg.html
|
|
CAdir=`mktemp -d` &&
|
|
certpass=`(date; ps ax ; hostname) | md5 -q`
|
|
|
|
# make certificate authority
|
|
( cd "$CAdir" &&
|
|
chmod 700 "$CAdir" &&
|
|
mkdir certs crl newcerts &&
|
|
echo "01" > serial &&
|
|
:> index.txt &&
|
|
|
|
cat <<-OPENSSL_CNF > openssl.cnf &&
|
|
RANDFILE = $CAdir/.rnd
|
|
[ ca ]
|
|
default_ca = CA_default
|
|
[ CA_default ]
|
|
dir = .
|
|
certs = \$dir/certs # Where the issued certs are kept
|
|
crl_dir = \$dir/crl # Where the issued crl are kept
|
|
database = \$dir/index.txt # database index file.
|
|
new_certs_dir = \$dir/newcerts # default place for new certs.
|
|
certificate = \$dir/cacert.pem # The CA certificate
|
|
serial = \$dir/serial # The current serial number
|
|
crlnumber = \$dir/crlnumber # the current crl number
|
|
crl = \$dir/crl.pem # The current CRL
|
|
private_key = \$dir/cakey.pem
|
|
x509_extensions = usr_cert # The extensions to add to the cert
|
|
name_opt = ca_default # Subject Name options
|
|
cert_opt = ca_default # Certificate field options
|
|
default_days = 365 # how long to certify for
|
|
default_crl_days= 30 # how long before next CRL
|
|
default_md = default # use public key default MD
|
|
preserve = no # keep passed DN ordering
|
|
policy = policy_anything
|
|
[ policy_anything ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = utf8only
|
|
prompt = no
|
|
[ req_distinguished_name ]
|
|
countryName = XX
|
|
stateOrProvinceName = Some-state
|
|
localityName = Some-city
|
|
0.organizationName = Some-org
|
|
CN = $cnname
|
|
[ req_attributes ]
|
|
challengePassword = foobar
|
|
unstructuredName = An optional company name
|
|
[ usr_cert ]
|
|
basicConstraints=CA:FALSE
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
[ v3_ca ]
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
basicConstraints = CA:true
|
|
OPENSSL_CNF
|
|
|
|
# though we use a password, the key is discarded and never used
|
|
openssl req -batch -passout pass:"$certpass" -new -x509 \
|
|
-keyout cakey.pem -out cacert.pem -days 3650 \
|
|
-config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# make new certificate
|
|
openssl req -batch -nodes -new -x509 -keyout newkey.pem \
|
|
-out newreq.pem -days 365 -config openssl.cnf \
|
|
-newkey rsa:2048 >/dev/null 2>&1 &&
|
|
|
|
# sign certificate
|
|
openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
|
|
-out tmp.pem >/dev/null 2>&1 &&
|
|
openssl ca -notext -config openssl.cnf \
|
|
-out newcert.pem -keyfile cakey.pem -cert cacert.pem \
|
|
-key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
|
|
|
|
mkdir -p "$CERTDIR" &&
|
|
chmod 0755 "$CERTDIR" &&
|
|
chmod 644 newcert.pem cacert.pem &&
|
|
chmod 600 newkey.pem &&
|
|
cp -p newcert.pem "$CERTDIR"/host.cert &&
|
|
cp -p cacert.pem "$CERTDIR"/cacert.pem &&
|
|
cp -p newkey.pem "$CERTDIR"/host.key &&
|
|
ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
|
|
-in cacert.pem`.0)
|
|
|
|
retVal="$?"
|
|
rm -rf "$CAdir"
|
|
|
|
return "$retVal"
|
|
}
|
|
|
|
sendmail_precmd()
|
|
{
|
|
# Die if there's pre-8.10 custom configuration file. This check is
|
|
# mandatory for smooth upgrade. See NetBSD PR 10100 for details.
|
|
#
|
|
if checkyesno ${rcvar} && [ -f "/etc/${name}.cf" ]; then
|
|
if ! cmp -s "/etc/mail/${name}.cf" "/etc/${name}.cf"; then
|
|
warn \
|
|
"${name} was not started; you have multiple copies of sendmail.cf."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
# check modifications on /etc/mail/aliases
|
|
if checkyesno sendmail_rebuild_aliases; then
|
|
if [ -f "/etc/mail/aliases.db" ]; then
|
|
if [ "/etc/mail/aliases" -nt "/etc/mail/aliases.db" ]; then
|
|
echo \
|
|
"${name}: /etc/mail/aliases newer than /etc/mail/aliases.db, regenerating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
else
|
|
echo \
|
|
"${name}: /etc/mail/aliases.db not present, generating"
|
|
/usr/bin/newaliases
|
|
fi
|
|
fi
|
|
|
|
if checkyesno sendmail_cert_create && [ ! \( \
|
|
-f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
|
|
-f "$CERTDIR/cacert.pem" \) ]; then
|
|
if ! openssl version >/dev/null 2>&1; then
|
|
warn "OpenSSL not available, but sendmail_cert_create is YES."
|
|
else
|
|
info Creating certificate for sendmail.
|
|
sendmail_cert_create
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f /var/log/sendmail.st ]; then
|
|
/usr/bin/install -m 640 -o root -g wheel /dev/null /var/log/sendmail.st
|
|
fi
|
|
}
|
|
|
|
run_rc_command "$1"
|
|
|
|
required_files=
|
|
|
|
if checkyesno sendmail_submit_enable; then
|
|
name="sendmail_submit"
|
|
rcvar="sendmail_submit_enable"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
if checkyesno sendmail_outbound_enable; then
|
|
name="sendmail_outbound"
|
|
rcvar="sendmail_outbound_enable"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|
|
fi
|
|
|
|
name="sendmail_msp_queue"
|
|
rcvar="sendmail_msp_queue_enable"
|
|
pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}"
|
|
required_files="/etc/mail/submit.cf"
|
|
_rc_restart_done=false
|
|
run_rc_command "$1"
|