diff options
| author | schmonz <schmonz@pkgsrc.org> | 2021-01-14 15:25:22 +0000 |
|---|---|---|
| committer | schmonz <schmonz@pkgsrc.org> | 2021-01-14 15:25:22 +0000 |
| commit | 7760306e343b980c0faa8b506a2357641cfde6ac (patch) | |
| tree | c5d662a598039bb87af0276e962b4ca716eea051 | |
| parent | aebdd0ca2c52dec857c9293e567e9b729a0d7650 (diff) | |
| download | pkgsrc-7760306e343b980c0faa8b506a2357641cfde6ac.tar.gz | |
Improve TLS setup instructions. Bump PKGREVISION.
| -rw-r--r-- | mail/qmail/Makefile | 4 | ||||
| -rw-r--r-- | mail/qmail/files/README.pkgsrc | 4 | ||||
| -rw-r--r-- | mail/qmail/files/README.tls | 39 | ||||
| -rw-r--r-- | mail/qmail/options.mk | 4 |
4 files changed, 28 insertions, 23 deletions
diff --git a/mail/qmail/Makefile b/mail/qmail/Makefile index 559e1d0bd43..32c6d8727a0 100644 --- a/mail/qmail/Makefile +++ b/mail/qmail/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.123 2020/11/19 09:35:42 schmonz Exp $ +# $NetBSD: Makefile,v 1.124 2021/01/14 15:25:22 schmonz Exp $ # DISTNAME= notqmail-1.08 PKGNAME= qmail-1.03 -PKGREVISION= 49 +PKGREVISION= 50 CATEGORIES= mail MASTER_SITES= ${MASTER_SITE_GITHUB:=notqmail/} GITHUB_PROJECT= notqmail diff --git a/mail/qmail/files/README.pkgsrc b/mail/qmail/files/README.pkgsrc index 1f52ecfe0cc..a3df7db017a 100644 --- a/mail/qmail/files/README.pkgsrc +++ b/mail/qmail/files/README.pkgsrc @@ -12,7 +12,7 @@ Otherwise, run this command as root: Getting help ============ -You've installed an automated and customized qmail package. If +You've installed an automated and customized notqmail package. If you're having trouble with it, ask the package's maintainer: <URL:mailto:schmonz-pkgsrc-qmail@schmonz.com> @@ -29,7 +29,7 @@ mention: * that you installed @PKGNAME@ from pkgsrc, * the output of "@PKG_INFO@ -B @PKGNAME@ | @GREP@ ^QMAIL", and -* how you're running (or trying to run) the qmail daemons. +* how you're running (or trying to run) the notqmail daemons. If you can first reproduce your problem on a manual LWQ-style installation, your request for help is likely to be better received. diff --git a/mail/qmail/files/README.tls b/mail/qmail/files/README.tls index a6351d9e43e..f5246e5aa4f 100644 --- a/mail/qmail/files/README.tls +++ b/mail/qmail/files/README.tls @@ -1,32 +1,37 @@ Configuring TLS =============== -You've applied a Transport Layer Security patch to your qmail installation. -It is documented more fully by its author here: +notqmail does not yet ship with native support for TLS encryption. This +notqmail package enables outbound TLS via a patch: <URL:https://schmonz.com/qmail/tlsonlyremote/> +To enable TLS for incoming mail, message submission, and POP3, install +the qmail-run package. It includes these add-on programs: -For qmail to opportunistically encrypt incoming mail, and to require -encryption before authentication for submitted messages, first obtain a -certificate (e.g., from Let's Encrypt), make it available as -@SERVERCERT@, and apply these permissions: +<URL:https://schmonz.com/qmail/acceptutils/> -# chmod 640 @SERVERCERT@ -# chown @QMAIL_DAEMON_USER@:@QMAIL_QMAIL_GROUP@ @SERVERCERT@ +With qmail-run installed, follow these steps: -Generate DH params: +1. Obtain a certificate (e.g., from Let's Encrypt), make it available as + @SERVERCERT@, and apply these permissions: -# update_tmprsadh + # chown @QMAIL_DAEMON_USER@:@QMAIL_QMAIL_GROUP@ @SERVERCERT@ + # chmod 640 @SERVERCERT@ -Have cron(8) regularly regenerate them: +2. If your cert's private key is in a separate file, make it available as + @SERVERKEY@ (same permissions). - 01 01 * * * @PREFIX@/bin/update_tmprsadh > /dev/null 2>&1 +3. Use the same cert for your server's connections to other servers: -Then install the qmail-run package and use its qmailsmtpd and -qmailofmipd rc.d scripts. + # ln -s @SERVERCERT@ \ + @CLIENTCERT@ -For qmail to opportunistically encrypt outgoing mail, use the same -certificate: +4. Generate initial Diffie-Hellman parameters: -# ln -s @SERVERCERT@ @CLIENTCERT@ + # @PREFIX@/bin/update_tmprsadh + +5. Arrange for update_tmprsadh to be run regularly from cron(8), + /etc/security.local, or similar. + +Then start your TLS-enabled notqmail using qmail-run's rc.d scripts. diff --git a/mail/qmail/options.mk b/mail/qmail/options.mk index d4b01f8bd00..4bb9f19ae21 100644 --- a/mail/qmail/options.mk +++ b/mail/qmail/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.69 2020/05/23 20:50:02 schmonz Exp $ +# $NetBSD: options.mk,v 1.70 2021/01/14 15:25:22 schmonz Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.qmail PKG_SUPPORTED_OPTIONS+= eai inet6 pam syncdir tai-system-clock tls @@ -98,8 +98,8 @@ SUBST_SED.tmprsadh= -e 's|^export PATH=.*||' SUBST_SED.tmprsadh+= -e 's|^openssl |${OPENSSL} |' READMES+= README.tls SUBST_VARS.paths+= OPENSSL QMAIL_DAEMON_USER QMAIL_QMAIL_GROUP -SUBST_VARS.paths+= OPENSSL SERVERCERT CLIENTCERT SUBST_SED.paths+= -e 's|@SERVERCERT@|${PKG_SYSCONFDIR:Q}/control/servercert.pem|g' +SUBST_SED.paths+= -e 's|@SERVERKEY@|${PKG_SYSCONFDIR:Q}/control/serverkey.pem|g' SUBST_SED.paths+= -e 's|@CLIENTCERT@|${PKG_SYSCONFDIR:Q}/control/clientcert.pem|g' DEPENDS+= ucspi-ssl>=0.999.10.11nb2:../../net/ucspi-ssl .else |