diff options
author | schmonz <schmonz@pkgsrc.org> | 2018-11-08 20:57:28 +0000 |
---|---|---|
committer | schmonz <schmonz@pkgsrc.org> | 2018-11-08 20:57:28 +0000 |
commit | 6fb46f3a47ad7ad387d4ecc6b87e62c668d33432 (patch) | |
tree | 59bda3c2a241f9a4e0212295b57d6f6b5e80d439 /mail/qmail-run | |
parent | 82d4f1c5603182f40b23a3981beb1f46284b9c85 (diff) | |
download | pkgsrc-6fb46f3a47ad7ad387d4ecc6b87e62c668d33432.tar.gz |
Bump acceptutils dependency to get STARTTLS support in fixsmtpio(8)
(obviating the need for qmail-smtpd(8) to be patched to link OpenSSL).
Make TLS configurable for submission, POP3, and now also incoming SMTP:
- "yes" (startup will fail if cert or DH params are missing)
- "no" (even if they're present, don't offer TLS)
- "auto" (the default: offer TLS iff they're present)
Mention TLS setup in MESSAGE.
Delay SMTP greeting by 2 seconds. Enable zen.spamhaus.org RBL.
Bump version.
Diffstat (limited to 'mail/qmail-run')
-rw-r--r-- | mail/qmail-run/MESSAGE | 7 | ||||
-rw-r--r-- | mail/qmail-run/Makefile | 7 | ||||
-rw-r--r-- | mail/qmail-run/files/fixsmtpio | 6 | ||||
-rw-r--r-- | mail/qmail-run/files/qmailofmipd.sh | 35 | ||||
-rw-r--r-- | mail/qmail-run/files/qmailpop3d.sh | 35 | ||||
-rw-r--r-- | mail/qmail-run/files/qmailsmtpd.sh | 46 | ||||
-rw-r--r-- | mail/qmail-run/files/tcp.ofmip | 2 | ||||
-rw-r--r-- | mail/qmail-run/files/tcp.smtp | 2 |
8 files changed, 109 insertions, 31 deletions
diff --git a/mail/qmail-run/MESSAGE b/mail/qmail-run/MESSAGE index a8c64502475..b5cebff905b 100644 --- a/mail/qmail-run/MESSAGE +++ b/mail/qmail-run/MESSAGE @@ -1,5 +1,5 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.11 2018/10/28 15:01:57 schmonz Exp $ +$NetBSD: MESSAGE,v 1.12 2018/11/08 20:57:28 schmonz Exp $ Please read ${PREFIX}/share/doc/qmail-run/README.pkgsrc. @@ -19,7 +19,7 @@ Incoming SMTP deliveries: - Optionally list qmail-rcptcheck programs in control/rcptchecks. - Optionally list qmail-qfilter programs in control/smtpfilters. -Outgoing submissions with SMTP AUTH over TLS: +Outgoing authentication-only submission: - Set qmailofmipd=YES in /etc/rc.conf. - Optionally list qmail-qfilter programs in control/ofmipfilters. @@ -29,4 +29,7 @@ User-controlled ofmipd address rewriting: Fetching Maildirs via POP3: - Set qmailpop3d=YES in /etc/rc.conf. +TLS for incoming and outgoing SMTP, submission, and POP3: +- Create cert and DH params as instructed by the qmail package. + =========================================================================== diff --git a/mail/qmail-run/Makefile b/mail/qmail-run/Makefile index f1f2f32acf0..727d7fdfd82 100644 --- a/mail/qmail-run/Makefile +++ b/mail/qmail-run/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.54 2018/11/03 17:08:26 schmonz Exp $ +# $NetBSD: Makefile,v 1.55 2018/11/08 20:57:28 schmonz Exp $ # -DISTNAME= qmail-run-20181103 +DISTNAME= qmail-run-20181108 CATEGORIES= mail MASTER_SITES= # empty DISTFILES= # empty @@ -10,10 +10,11 @@ MAINTAINER= schmonz@NetBSD.org COMMENT= Configures qmail to receive and deliver mail LICENSE= 2-clause-bsd +DEPENDS+= greetdelay-[0-9]*:../../mail/greetdelay DEPENDS+= pkg_alternatives-[0-9]*:../../pkgtools/pkg_alternatives DEPENDS_QMAIL= qmail>=1.03nb36:../../mail/qmail DEPENDS+= ${DEPENDS_QMAIL} -DEPENDS+= qmail-acceptutils>=20181027:../../mail/qmail-acceptutils +DEPENDS+= qmail-acceptutils>=20181108:../../mail/qmail-acceptutils DEPENDS+= qmail-qfilter>1.5nb1:../../mail/qmail-qfilter DEPENDS+= qmail-rejectutils-[0-9]*:../../mail/qmail-rejectutils diff --git a/mail/qmail-run/files/fixsmtpio b/mail/qmail-run/files/fixsmtpio index 53e8e66ce71..7db027bf856 100644 --- a/mail/qmail-run/files/fixsmtpio +++ b/mail/qmail-run/files/fixsmtpio @@ -30,10 +30,6 @@ AUTHUP_USER:greeting::5*:15:&fixsmtpio_noop # If server times out, hide message, and tell authup to stop trying AUTHUP_USER:timeout::*:16: -# Don't permit server to advertise further AUTH or STARTTLS +# Don't permit server to advertise or respond to further AUTH AUTHUP_USER:ehlo::250?AUTH*:: -AUTHUP_USER:ehlo::250?STARTTLS:: - -# Don't permit client to initiate further AUTH or STARTTLS AUTHUP_USER:auth:NOOP :*::502 unimplemented (#5.5.1) -AUTHUP_USER:starttls:NOOP :*::502 unimplemented (#5.5.1) diff --git a/mail/qmail-run/files/qmailofmipd.sh b/mail/qmail-run/files/qmailofmipd.sh index 71e142a0210..0dec1405574 100644 --- a/mail/qmail-run/files/qmailofmipd.sh +++ b/mail/qmail-run/files/qmailofmipd.sh @@ -1,6 +1,6 @@ #!@RCD_SCRIPTS_SHELL@ # -# $NetBSD: qmailofmipd.sh,v 1.14 2018/11/03 17:08:26 schmonz Exp $ +# $NetBSD: qmailofmipd.sh,v 1.15 2018/11/08 20:57:28 schmonz Exp $ # # @PKGNAME@ script to control ofmipd (SMTP submission service). # @@ -11,7 +11,7 @@ name="qmailofmipd" # User-settable rc.conf variables and their default values: -: ${qmailofmipd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) DHFILE=@PKG_SYSCONFDIR@/control/dh2048.pem CERTFILE=@PKG_SYSCONFDIR@/control/servercert.pem"} +: ${qmailofmipd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"} : ${qmailofmipd_tcpflags:="-ne -vRl0"} : ${qmailofmipd_tcphost:="0.0.0.0"} : ${qmailofmipd_tcpport:="587"} @@ -25,15 +25,16 @@ name="qmailofmipd" : ${qmailofmipd_log:="YES"} : ${qmailofmipd_logcmd:="logger -t nbqmail/ofmipd -p mail.info"} : ${qmailofmipd_nologcmd:="@PREFIX@/bin/multilog -*"} +: ${qmailofmipd_tls:="auto"} +: ${qmailofmipd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"} +: ${qmailofmipd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"} if [ -f /etc/rc.subr ]; then . /etc/rc.subr fi rcvar=${name} -required_files="@PKG_SYSCONFDIR@/control/dh2048.pem" -required_files="${required_files} @PKG_SYSCONFDIR@/control/servercert.pem" -required_files="${required_files} @PKG_SYSCONFDIR@/control/me" +required_files="@PKG_SYSCONFDIR@/control/me" required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencysubmission" required_files="${required_files} @PKG_SYSCONFDIR@/control/rcpthosts" required_files="${required_files} @PKG_SYSCONFDIR@/control/smtpcapabilities" @@ -49,11 +50,35 @@ cont_cmd="qmailofmipd_cont" cdb_cmd="qmailofmipd_cdb" reload_cmd=${cdb_cmd} +qmailofmipd_configure_tls() { + if [ "auto" = "${qmailofmipd_tls}" ]; then + if [ -f "${qmailofmipd_tls_dhparams}" ] && [ -f "${qmailofmipd_tls_cert}" ]; then + qmailofmipd_enable_tls + else + qmailofmipd_disable_tls + fi + elif [ -f /etc/rc.subr ] && checkyesno qmailofmipd_tls; then + qmailofmipd_enable_tls + else + qmailofmipd_disable_tls + fi +} + +qmailofmipd_disable_tls() { + qmailofmipd_postenv="${qmailofmipd_postenv} DISABLETLS=1" +} + +qmailofmipd_enable_tls() { + qmailofmipd_postenv="${qmailofmipd_postenv} DHFILE=${qmailofmipd_tls_dhparams}" + qmailofmipd_postenv="${qmailofmipd_postenv} CERTFILE=${qmailofmipd_tls_cert}" +} + qmailofmipd_precmd() { if [ -f /etc/rc.subr ] && ! checkyesno qmailofmipd_log; then qmailofmipd_logcmd=${qmailofmipd_nologcmd} fi + qmailofmipd_configure_tls # tcpserver(1) is akin to inetd(8), but runs one service per process. # We want to signal only the tcpserver process responsible for this # service. Use argv0(1) to set procname to "nbqmailofmipd". diff --git a/mail/qmail-run/files/qmailpop3d.sh b/mail/qmail-run/files/qmailpop3d.sh index e2f515561ef..28a27c4baa1 100644 --- a/mail/qmail-run/files/qmailpop3d.sh +++ b/mail/qmail-run/files/qmailpop3d.sh @@ -1,6 +1,6 @@ #!@RCD_SCRIPTS_SHELL@ # -# $NetBSD: qmailpop3d.sh,v 1.23 2018/11/03 17:08:26 schmonz Exp $ +# $NetBSD: qmailpop3d.sh,v 1.24 2018/11/08 20:57:28 schmonz Exp $ # # @PKGNAME@ script to control qmail-pop3d (POP3 server for Maildirs). # @@ -10,7 +10,7 @@ name="qmailpop3d" # User-settable rc.conf variables and their default values: -: ${qmailpop3d_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) DHFILE=@PKG_SYSCONFDIR@/control/dh2048.pem CERTFILE=@PKG_SYSCONFDIR@/control/servercert.pem"} +: ${qmailpop3d_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"} : ${qmailpop3d_tcpflags:="-ne -vRl0"} : ${qmailpop3d_tcphost:="0.0.0.0"} : ${qmailpop3d_tcpport:="110"} @@ -24,15 +24,16 @@ name="qmailpop3d" : ${qmailpop3d_log:="YES"} : ${qmailpop3d_logcmd:="logger -t nbqmail/pop3d -p mail.info"} : ${qmailpop3d_nologcmd:="@PREFIX@/bin/multilog -*"} +: ${qmailpop3d_tls:="auto"} +: ${qmailpop3pd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"} +: ${qmailpop3pd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"} if [ -f /etc/rc.subr ]; then . /etc/rc.subr fi rcvar=${name} -required_files="@PKG_SYSCONFDIR@/control/dh2048.pem" -required_files="${required_files} @PKG_SYSCONFDIR@/control/servercert.pem" -required_files="${required_files} @PKG_SYSCONFDIR@/control/me" +required_files="@PKG_SYSCONFDIR@/control/me" required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencypop3" required_files="${required_files} @PKG_SYSCONFDIR@/control/pop3capabilities" required_files="${required_files} @PKG_SYSCONFDIR@/tcp.pop3.cdb" @@ -46,11 +47,35 @@ cont_cmd="qmailpop3d_cont" cdb_cmd="qmailpop3d_cdb" reload_cmd=${cdb_cmd} +qmailpop3d_configure_tls() { + if [ "auto" = "${qmailpop3d_tls}" ]; then + if [ -f "${qmailpop3d_tls_dhparams}" ] && [ -f "${qmailpop3d_tls_cert}" ]; then + qmailpop3d_enable_tls + else + qmailpop3d_disable_tls + fi + elif [ -f /etc/rc.subr ] && checkyesno qmailpop3d_tls; then + qmailpop3d_enable_tls + else + qmailpop3d_disable_tls + fi +} + +qmailpop3d_disable_tls() { + qmailpop3d_postenv="${qmailpop3d_postenv} DISABLETLS=1" +} + +qmailpop3d_enable_tls() { + qmailpop3d_postenv="${qmailpop3d_postenv} DHFILE=${qmailpop3d_tls_dhparams}" + qmailpop3d_postenv="${qmailpop3d_postenv} CERTFILE=${qmailpop3d_tls_cert}" +} + qmailpop3d_precmd() { if [ -f /etc/rc.subr ] && ! checkyesno qmailpop3d_log; then qmailpop3d_logcmd=${qmailpop3d_nologcmd} fi + qmailpop3d_configure_tls # tcpserver(1) is akin to inetd(8), but runs one service per process. # We want to signal only the tcpserver process responsible for this # service. Use argv0(1) to set procname to "nbqmailpop3d". diff --git a/mail/qmail-run/files/qmailsmtpd.sh b/mail/qmail-run/files/qmailsmtpd.sh index 8507b271e7a..96e0fdad141 100644 --- a/mail/qmail-run/files/qmailsmtpd.sh +++ b/mail/qmail-run/files/qmailsmtpd.sh @@ -1,6 +1,6 @@ #!@RCD_SCRIPTS_SHELL@ # -# $NetBSD: qmailsmtpd.sh,v 1.19 2018/11/03 17:08:26 schmonz Exp $ +# $NetBSD: qmailsmtpd.sh,v 1.20 2018/11/08 20:57:28 schmonz Exp $ # # @PKGNAME@ script to control qmail-smtpd (SMTP service). # @@ -11,28 +11,32 @@ name="qmailsmtpd" # User-settable rc.conf variables and their default values: -: ${qmailsmtpd_postenv:=""} -: ${qmailsmtpd_tcpflags:="-vRl0"} -: ${qmailsmtpd_tcphost:="0"} +: ${qmailsmtpd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"} +: ${qmailsmtpd_tcpflags:="-ne -vRl0"} +: ${qmailsmtpd_tcphost:="0.0.0.0"} : ${qmailsmtpd_tcpport:="25"} -: ${qmailsmtpd_datalimit:="180000000"} +: ${qmailsmtpd_datalimit:="360000000"} : ${qmailsmtpd_pretcpserver:=""} -: ${qmailsmtpd_tcpserver:="@PREFIX@/bin/tcpserver"} -: ${qmailsmtpd_presmtpd:=""} +: ${qmailsmtpd_tcpserver:="@PREFIX@/bin/sslserver"} +: ${qmailsmtpd_presmtpd:="@PREFIX@/bin/greetdelay @PREFIX@/bin/rblsmtpd -r zen.spamhaus.org @PREFIX@/bin/fixsmtpio"} : ${qmailsmtpd_smtpdcmd:="@PREFIX@/bin/qmail-smtpd"} : ${qmailsmtpd_postsmtpd:=""} : ${qmailsmtpd_log:="YES"} : ${qmailsmtpd_logcmd:="logger -t nbqmail/smtpd -p mail.info"} : ${qmailsmtpd_nologcmd:="@PREFIX@/bin/multilog -*"} +: ${qmailsmtpd_tls:="auto"} +: ${qmailsmtpd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"} +: ${qmailsmtpd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"} if [ -f /etc/rc.subr ]; then . /etc/rc.subr fi rcvar=${name} -required_files="@PKG_SYSCONFDIR@/control/concurrencyincoming" -required_files="${required_files} @PKG_SYSCONFDIR@/tcp.smtp.cdb" +required_files="@PKG_SYSCONFDIR@/control/me" +required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencyincoming" required_files="${required_files} @PKG_SYSCONFDIR@/control/rcpthosts" +required_files="${required_files} @PKG_SYSCONFDIR@/tcp.smtp.cdb" command="${qmailsmtpd_tcpserver}" procname=nb${name} start_precmd="qmailsmtpd_precmd" @@ -43,11 +47,35 @@ cont_cmd="qmailsmtpd_cont" cdb_cmd="qmailsmtpd_cdb" reload_cmd=${cdb_cmd} +qmailsmtpd_configure_tls() { + if [ "auto" = "${qmailsmtpd_tls}" ]; then + if [ -f "${qmailsmtpd_tls_dhparams}" ] && [ -f "${qmailsmtpd_tls_cert}" ]; then + qmailsmtpd_enable_tls + else + qmailsmtpd_disable_tls + fi + elif [ -f /etc/rc.subr ] && checkyesno qmailsmtpd_tls; then + qmailsmtpd_enable_tls + else + qmailsmtpd_disable_tls + fi +} + +qmailsmtpd_disable_tls() { + qmailsmtpd_postenv="${qmailsmtpd_postenv} DISABLETLS=1" +} + +qmailsmtpd_enable_tls() { + qmailsmtpd_postenv="${qmailsmtpd_postenv} DHFILE=${qmailsmtpd_tls_dhparams}" + qmailsmtpd_postenv="${qmailsmtpd_postenv} CERTFILE=${qmailsmtpd_tls_cert}" +} + qmailsmtpd_precmd() { if [ -f /etc/rc.subr ] && ! checkyesno qmailsmtpd_log; then qmailsmtpd_logcmd=${qmailsmtpd_nologcmd} fi + qmailsmtpd_configure_tls # tcpserver(1) is akin to inetd(8), but runs one service per process. # We want to signal only the tcpserver process responsible for this # service. Use argv0(1) to set procname to "nbqmailsmtpd". diff --git a/mail/qmail-run/files/tcp.ofmip b/mail/qmail-run/files/tcp.ofmip index e0cc6aaab63..26c50f373b9 100644 --- a/mail/qmail-run/files/tcp.ofmip +++ b/mail/qmail-run/files/tcp.ofmip @@ -1 +1 @@ -:allow,QMAILQUEUE="@PREFIX@/bin/qmail-qfilter-ofmipd-queue",UCSPITLS="!",PYMSGAUTH_TOLERATE_UNCONFIGURED="1" +:allow,UCSPITLS="!",QMAILQUEUE="@PREFIX@/bin/qmail-qfilter-ofmipd-queue",PYMSGAUTH_TOLERATE_UNCONFIGURED="1" diff --git a/mail/qmail-run/files/tcp.smtp b/mail/qmail-run/files/tcp.smtp index 796993c6112..3dbc9cd6776 100644 --- a/mail/qmail-run/files/tcp.smtp +++ b/mail/qmail-run/files/tcp.smtp @@ -1,2 +1,2 @@ 127.:allow,RELAYCLIENT="" -:allow,QMAILQUEUE="@PREFIX@/bin/qmail-qfilter-smtpd-queue",RCPTCHECK="@PREFIX@/bin/qmail-rcptcheck" +:allow,UCSPITLS="",GREETDELAY="2",QMAILQUEUE="@PREFIX@/bin/qmail-qfilter-smtpd-queue",RCPTCHECK="@PREFIX@/bin/qmail-rcptcheck" |