From owner-svn-src-all@FreeBSD.ORG Sat Oct 19 18:51:08 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E2ABC74E; Sat, 19 Oct 2013 18:51:07 +0000 (UTC) (envelope-from jmg@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CE6722AED; Sat, 19 Oct 2013 18:51:07 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9JIp7aW024834; Sat, 19 Oct 2013 18:51:07 GMT (envelope-from jmg@svn.freebsd.org) Received: (from jmg@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9JIp7j9024830; Sat, 19 Oct 2013 18:51:07 GMT (envelope-from jmg@svn.freebsd.org) Message-Id: <201310191851.r9JIp7j9024830@svn.freebsd.org> From: John-Mark Gurney Date: Sat, 19 Oct 2013 18:51:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r256773 - in head: etc/defaults etc/rc.d etc/sendmail share/man/man8 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Oct 2013 18:51:08 -0000 Author: jmg Date: Sat Oct 19 18:51:06 2013 New Revision: 256773 URL: http://svnweb.freebsd.org/changeset/base/256773 Log: Enable the automatic creation of a certificate (if one does not exists) and enable the usage by sendmail if sendmail is enabled. Include and document knobs to disable this feature and also set the Common Name of the certificate created. As the certificate is signed w/ a discarded key, it only helps prevent Eve, but not Malory from knowing the contents of the emails. This means that new installs (and people that use the updated freebsd.mc file) will automaticly have STARTTLS enabled allowing incoming email to be encrypted in most cases. Reviewed by: gshapiro MFC after: 3 days Security: Yes, please. Modified: head/etc/defaults/rc.conf head/etc/rc.d/sendmail head/etc/sendmail/freebsd.mc head/share/man/man8/rc.sendmail.8 Modified: head/etc/defaults/rc.conf ============================================================================== --- head/etc/defaults/rc.conf Sat Oct 19 18:13:32 2013 (r256772) +++ head/etc/defaults/rc.conf Sat Oct 19 18:51:06 2013 (r256773) @@ -573,6 +573,8 @@ sendmail_enable="NO" # Run the sendmail sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file sendmail_procname="/usr/sbin/sendmail" # sendmail process name sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server) +sendmail_cert_create="YES" # Create a server certificate if none (YES/NO) +#sendmail_cert_cn="CN" # CN of the generate certificate sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost" # Flags for localhost-only MTA Modified: head/etc/rc.d/sendmail ============================================================================== --- head/etc/rc.d/sendmail Sat Oct 19 18:13:32 2013 (r256772) +++ head/etc/rc.d/sendmail Sat Oct 19 18:51:06 2013 (r256773) @@ -24,6 +24,8 @@ command=${sendmail_program:-/usr/sbin/${ pidfile=${sendmail_pidfile:-/var/run/${name}.pid} procname=${sendmail_procname:-/usr/sbin/${name}} +CERTDIR=/etc/mail/certs + case ${sendmail_enable} in [Nn][Oo][Nn][Ee]) sendmail_enable="NO" @@ -44,6 +46,118 @@ if checkyesno sendmail_submit_enable; th sendmail_outbound_enable="NO" fi +sendmail_cert_create() +{ + cnname="${sendmail_cert_cn:-`hostname`}" + cnname="${cnname:-amnesiac}" + + # based upon: + # http://www.sendmail.org/~ca/email/other/cagreg.html + CAdir=`mktemp -d` && + certpass=`(date; ps ax ; hostname) | md5 -q` + + # make certificate authority + ( cd "$CAdir" && + chmod 700 "$CAdir" && + mkdir certs crl newcerts && + echo "01" > serial && + :> index.txt && + + cat <<-OPENSSL_CNF > openssl.cnf && + RANDFILE = $CAdir/.rnd + [ ca ] + default_ca = CA_default + [ CA_default ] + dir = . + certs = \$dir/certs # Where the issued certs are kept + crl_dir = \$dir/crl # Where the issued crl are kept + database = \$dir/index.txt # database index file. + new_certs_dir = \$dir/newcerts # default place for new certs. + certificate = \$dir/cacert.pem # The CA certificate + serial = \$dir/serial # The current serial number + crlnumber = \$dir/crlnumber # the current crl number + crl = \$dir/crl.pem # The current CRL + private_key = \$dir/cakey.pem + x509_extensions = usr_cert # The extentions to add to the cert + name_opt = ca_default # Subject Name options + cert_opt = ca_default # Certificate field options + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL + default_md = default # use public key default MD + preserve = no # keep passed DN ordering + policy = policy_anything + [ policy_anything ] + countryName = optional + stateOrProvinceName = optional + localityName = optional + organizationName = optional + organizationalUnitName = optional + commonName = supplied + emailAddress = optional + [ req ] + default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + x509_extensions = v3_ca # The extentions to add to the self signed cert + string_mask = utf8only + prompt = no + [ req_distinguished_name ] + countryName = XX + stateOrProvinceName = Some-state + localityName = Some-city + 0.organizationName = Some-org + CN = $cnname + [ req_attributes ] + challengePassword = foobar + unstructuredName = An optional company name + [ usr_cert ] + basicConstraints=CA:FALSE + nsComment = "OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer + [ v3_req ] + basicConstraints = CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + [ v3_ca ] + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer + basicConstraints = CA:true + OPENSSL_CNF + + # though we use a password, the key is discarded and never used + openssl req -batch -passout pass:"$certpass" -new -x509 \ + -keyout cakey.pem -out cacert.pem -days 3650 \ + -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 && + + # make new certificate + openssl req -batch -nodes -new -x509 -keyout newkey.pem \ + -out newreq.pem -days 365 -config openssl.cnf \ + -newkey rsa:2048 >/dev/null 2>&1 && + + # sign certificate + openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \ + -out tmp.pem >/dev/null 2>&1 && + openssl ca -notext -config openssl.cnf \ + -out newcert.pem -keyfile cakey.pem -cert cacert.pem \ + -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 && + + mkdir -p "$CERTDIR" && + chmod 0755 "$CERTDIR" && + chmod 644 newcert.pem cacert.pem && + chmod 600 newkey.pem && + cp -p newcert.pem "$CERTDIR"/host.cert && + cp -p cacert.pem "$CERTDIR"/cacert.pem && + cp -p newkey.pem "$CERTDIR"/host.key && + ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \ + -in cacert.pem`.0) + + retVal="$?" + rm -rf "$CAdir" + + return "$retVal" +} + sendmail_precmd() { # Die if there's pre-8.10 custom configuration file. This check is @@ -71,6 +185,17 @@ sendmail_precmd() /usr/bin/newaliases fi fi + + if checkyesno sendmail_cert_create && [ ! \( \ + -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \ + -f "$CERTDIR/cacert.pem" \) ]; then + if ! openssl version >/dev/null 2>&1; then + warn "OpenSSL not available, but sendmail_cert_create is YES." + else + info Creating certificate for sendmail. + sendmail_cert_create + fi + fi } run_rc_command "$1" Modified: head/etc/sendmail/freebsd.mc ============================================================================== --- head/etc/sendmail/freebsd.mc Sat Oct 19 18:13:32 2013 (r256772) +++ head/etc/sendmail/freebsd.mc Sat Oct 19 18:51:06 2013 (r256773) @@ -42,6 +42,11 @@ divert(-1) # /usr/share/sendmail/cf/README or # /usr/src/contrib/sendmail/cf/README # +# +# NOTE: If you enable RunAsUser, make sure that you adjust the permissions +# and owner of the SSL certificates and keys in /etc/mail/certs to be usable +# by that user. +# divert(0) VERSIONID(`$FreeBSD$') @@ -54,6 +59,16 @@ FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') +dnl Enable STARTTLS for receiving email. +define(`CERT_DIR', `/etc/mail/certs')dnl +define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl +define(`confSERVER_KEY', `CERT_DIR/host.key')dnl +define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl +define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl +define(`confCACERT', `CERT_DIR/cacert.pem')dnl +define(`confCACERT_PATH', `CERT_DIR')dnl +define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl + dnl Uncomment to allow relaying based on your MX records. dnl NOTE: This can allow sites to use your server as a backup MX without dnl your permission. Modified: head/share/man/man8/rc.sendmail.8 ============================================================================== --- head/share/man/man8/rc.sendmail.8 Sat Oct 19 18:13:32 2013 (r256772) +++ head/share/man/man8/rc.sendmail.8 Sat Oct 19 18:51:06 2013 (r256773) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 30, 2002 +.Dd October 19, 2013 .Dt RC.SENDMAIL 8 .Os .Sh NAME @@ -119,6 +119,42 @@ The .Dq Li NONE option is deprecated and should not be used. It will be removed in a future release. +.It Va sendmail_cert_create +.Pq Vt str +If +.Va sendmail_enable +is set to +.Dq Li YES , +create a signed certificate +.Pa /etc/mail/certs/host.cert +representing +.Pa /etc/mail/certs/host.key +by the CA certificate in +.Pa /etc/mail/certs/cacert.pem . +This will enable connecting hosts to negotiate STARTTLS allowing incoming +email to be encrypted in transit. +.Xr sendmail 8 +needs to be configured to use these generated files. +The default configuration in +.Pa /etc/mail/freebsd.mc +has the required options in it. +.It Va sendmail_cert_cn +.Pq Vt str +If +.Va sendmail_enable +is set to +.Dq Li YES +and +.Va sendmail_cert_create +is set to +.Dq Li YES , +this is the Common Name (CN) of the certificate that will be created. +If +.Va sendmail_cert_cn +is not set, the system's hostname will be used. +If there is no hostname set, +.Dq Li amnesiac +will be used. .It Va sendmail_flags .Pq Vt str If