Take steps toward running under other UCSPI-TLS server implementations:

- Set CADIR in the environment.

- Prefer a separate keyfile for TLS. If it's not present, attempt to
  generate it by copying out the private key from the certfile.

- Don't provide an affordance for overriding the compiled-in cipherlist.

- Be willing to enable TLS without a DH params file.

While here, invent control/localfilters. If it exists, it's a sequence
of filters for SMTP connections on localhost.

Bump version.

5 files changed, 27 insertions, 30 deletions

diff --git a/mail/qmail-run/Makefile b/mail/qmail-run/Makefile
index 5f609dfa163..adb4c49bb7f 100644
--- a/mail/qmail-run/Makefile
+++ b/mail/qmail-run/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.78 2020/12/14 11:59:45 schmonz Exp $
+# $NetBSD: Makefile,v 1.79 2021/01/14 15:42:35 schmonz Exp $
 #
 
-DISTNAME=		qmail-run-20201214
+DISTNAME=		qmail-run-20210114
 CATEGORIES=		mail
 MASTER_SITES=		# empty
 DISTFILES=		# empty
diff --git a/mail/qmail-run/files/qmailofmipd.sh b/mail/qmail-run/files/qmailofmipd.sh
index 749d9d333ce..f54565e23a1 100644
--- a/mail/qmail-run/files/qmailofmipd.sh
+++ b/mail/qmail-run/files/qmailofmipd.sh
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailofmipd.sh,v 1.26 2020/12/11 12:11:43 schmonz Exp $
+# $NetBSD: qmailofmipd.sh,v 1.27 2021/01/14 15:42:36 schmonz Exp $
 #
 # @PKGNAME@ script to control ofmipd (SMTP submission service).
 #
@@ -31,8 +31,7 @@ name="qmailofmipd"
 : ${qmailofmipd_tls:="auto"}
 : ${qmailofmipd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
 : ${qmailofmipd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
-: ${qmailofmipd_tls_key:=""}
-: ${qmailofmipd_tls_ciphers:=""}
+: ${qmailofmipd_tls_key:="@PKG_SYSCONFDIR@/control/serverkey.pem"}
 
 if [ -f /etc/rc.subr ]; then
 	. /etc/rc.subr
@@ -57,7 +56,7 @@ reload_cmd=${cdb_cmd}
 
 qmailofmipd_configure_tls() {
 	if [ "auto" = "${qmailofmipd_tls}" ]; then
-		if [ -f "${qmailofmipd_tls_dhparams}" ] && [ -f "${qmailofmipd_tls_cert}" ]; then
+		if [ -f "${qmailofmipd_tls_cert}" ]; then
 			qmailofmipd_enable_tls
 		else
 			qmailofmipd_disable_tls
@@ -74,16 +73,16 @@ qmailofmipd_disable_tls() {
 }
 
 qmailofmipd_enable_tls() {
+	qmailofmipd_postenv="CADIR=@SSLDIR@/certs ${qmailofmipd_postenv}"
 	qmailofmipd_postenv="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) ${qmailofmipd_postenv}"
 	qmailofmipd_postenv="SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) ${qmailofmipd_postenv}"
 	qmailofmipd_postenv="DHFILE=${qmailofmipd_tls_dhparams} ${qmailofmipd_postenv}"
 	qmailofmipd_postenv="CERTFILE=${qmailofmipd_tls_cert} ${qmailofmipd_postenv}"
-	if [ -f "${qmailofmipd_tls_key}" ]; then
-		qmailofmipd_postenv="KEYFILE=${qmailofmipd_tls_key} ${qmailofmipd_postenv}"
-	fi
-	if [ -n "${qmailofmipd_tls_ciphers}" ]; then
-		qmailofmipd_postenv="CIPHERS=${qmailofmipd_tls_ciphers} ${qmailofmipd_postenv}"
+	if [ -n "${qmailofmipd_tls_key}" -a ! -f "${qmailofmipd_tls_key}" ]; then
+		openssl rsa -in ${qmailofmipd_tls_cert} -out ${qmailofmipd_tls_key}
+		@CHMOD@ 640 ${qmailofmipd_tls_key}
 	fi
+	qmailofmipd_postenv="KEYFILE=${qmailofmipd_tls_key} ${qmailofmipd_postenv}"
 }
 
 qmailofmipd_precmd() {
diff --git a/mail/qmail-run/files/qmailpop3d.sh b/mail/qmail-run/files/qmailpop3d.sh
index b85a7db683d..80ed120731b 100644
--- a/mail/qmail-run/files/qmailpop3d.sh
+++ b/mail/qmail-run/files/qmailpop3d.sh
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailpop3d.sh,v 1.33 2019/03/21 15:33:06 schmonz Exp $
+# $NetBSD: qmailpop3d.sh,v 1.34 2021/01/14 15:42:36 schmonz Exp $
 #
 # @PKGNAME@ script to control qmail-pop3d (POP3 server for Maildirs).
 #
@@ -30,8 +30,7 @@ name="qmailpop3d"
 : ${qmailpop3d_tls:="auto"}
 : ${qmailpop3d_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
 : ${qmailpop3d_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
-: ${qmailpop3d_tls_key:=""}
-: ${qmailpop3d_tls_ciphers:=""}
+: ${qmailpop3d_tls_key:="@PKG_SYSCONFDIR@/control/serverkey.pem"}
 
 if [ -f /etc/rc.subr ]; then
 	. /etc/rc.subr
@@ -54,7 +53,7 @@ reload_cmd=${cdb_cmd}
 
 qmailpop3d_configure_tls() {
 	if [ "auto" = "${qmailpop3d_tls}" ]; then
-		if [ -f "${qmailpop3d_tls_dhparams}" ] && [ -f "${qmailpop3d_tls_cert}" ]; then
+		if [ -f "${qmailpop3d_tls_cert}" ]; then
 			qmailpop3d_enable_tls
 		else
 			qmailpop3d_disable_tls
@@ -71,16 +70,16 @@ qmailpop3d_disable_tls() {
 }
 
 qmailpop3d_enable_tls() {
+	qmailpop3d_postenv="CADIR=@SSLDIR@/certs ${qmailpop3d_postenv}"
 	qmailpop3d_postenv="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) ${qmailpop3d_postenv}"
 	qmailpop3d_postenv="SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) ${qmailpop3d_postenv}"
 	qmailpop3d_postenv="DHFILE=${qmailpop3d_tls_dhparams} ${qmailpop3d_postenv}"
 	qmailpop3d_postenv="CERTFILE=${qmailpop3d_tls_cert} ${qmailpop3d_postenv}"
-	if [ -f "${qmailpop3d_tls_key}" ]; then
-		qmailpop3d_postenv="KEYFILE=${qmailpop3d_tls_key} ${qmailpop3d_postenv}"
-	fi
-	if [ -n "${qmailpop3d_tls_ciphers}" ]; then
-		qmailpop3d_postenv="CIPHERS=${qmailpop3d_tls_ciphers} ${qmailpop3d_postenv}"
+	if [ -n "${qmailpop3d_tls_key}" -a ! -f "${qmailpop3d_tls_key}" ]; then
+		openssl rsa -in ${qmailpop3d_tls_cert} -out ${qmailpop3d_tls_key}
+		@CHMOD@ 640 ${qmailpop3d_tls_key}
 	fi
+	qmailpop3d_postenv="KEYFILE=${qmailpop3d_tls_key} ${qmailpop3d_postenv}"
 }
 
 qmailpop3d_precmd() {
diff --git a/mail/qmail-run/files/qmailsmtpd.sh b/mail/qmail-run/files/qmailsmtpd.sh
index 5f28b21983d..7bc92c4326c 100644
--- a/mail/qmail-run/files/qmailsmtpd.sh
+++ b/mail/qmail-run/files/qmailsmtpd.sh
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailsmtpd.sh,v 1.30 2019/03/21 15:33:06 schmonz Exp $
+# $NetBSD: qmailsmtpd.sh,v 1.31 2021/01/14 15:42:36 schmonz Exp $
 #
 # @PKGNAME@ script to control qmail-smtpd (SMTP service).
 #
@@ -29,8 +29,7 @@ name="qmailsmtpd"
 : ${qmailsmtpd_tls:="auto"}
 : ${qmailsmtpd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
 : ${qmailsmtpd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
-: ${qmailsmtpd_tls_key:=""}
-: ${qmailsmtpd_tls_ciphers:=""}
+: ${qmailsmtpd_tls_key:="@PKG_SYSCONFDIR@/control/serverkey.pem"}
 
 if [ -f /etc/rc.subr ]; then
 	. /etc/rc.subr
@@ -53,7 +52,7 @@ reload_cmd=${cdb_cmd}
 
 qmailsmtpd_configure_tls() {
 	if [ "auto" = "${qmailsmtpd_tls}" ]; then
-		if [ -f "${qmailsmtpd_tls_dhparams}" ] && [ -f "${qmailsmtpd_tls_cert}" ]; then
+		if [ -f "${qmailsmtpd_tls_cert}" ]; then
 			qmailsmtpd_enable_tls
 		else
 			qmailsmtpd_disable_tls
@@ -70,16 +69,16 @@ qmailsmtpd_disable_tls() {
 }
 
 qmailsmtpd_enable_tls() {
+	qmailsmtpd_postenv="CADIR=@SSLDIR@/certs ${qmailsmtpd_postenv}"
 	qmailsmtpd_postenv="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) ${qmailsmtpd_postenv}"
 	qmailsmtpd_postenv="SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) ${qmailsmtpd_postenv}"
 	qmailsmtpd_postenv="DHFILE=${qmailsmtpd_tls_dhparams} ${qmailsmtpd_postenv}"
 	qmailsmtpd_postenv="CERTFILE=${qmailsmtpd_tls_cert} ${qmailsmtpd_postenv}"
-	if [ -f "${qmailsmtpd_tls_key}" ]; then
-		qmailsmtpd_postenv="KEYFILE=${qmailsmtpd_tls_key} ${qmailsmtpd_postenv}"
-	fi
-	if [ -n "${qmailsmtpd_tls_ciphers}" ]; then
-		qmailsmtpd_postenv="CIPHERS=${qmailsmtpd_tls_ciphers} ${qmailsmtpd_postenv}"
+	if [ -n "${qmailsmtpd_tls_key}" -a ! -f "${qmailsmtpd_tls_key}" ]; then
+		openssl rsa -in ${qmailsmtpd_tls_cert} -out ${qmailsmtpd_tls_key}
+		@CHMOD@ 640 ${qmailsmtpd_tls_key}
 	fi
+	qmailsmtpd_postenv="KEYFILE=${qmailsmtpd_tls_key} ${qmailsmtpd_postenv}"
 }
 
 qmailsmtpd_precmd() {
diff --git a/mail/qmail-run/files/tcprules-smtp b/mail/qmail-run/files/tcprules-smtp
index 776ab91ccd9..d699ab37079 100644
--- a/mail/qmail-run/files/tcprules-smtp
+++ b/mail/qmail-run/files/tcprules-smtp
@@ -1,2 +1,2 @@
-127.:allow,RELAYCLIENT=""
+127.:allow,RELAYCLIENT="",QMAILQUEUE="/opt/pkg/bin/qmail-qfilter-queue",QMAILQUEUEFILTERS="control/localfilters"
 :allow,UCSPITLS="",GREETDELAY="2",SPP_SPF_DONT_ALLOW_RANDOM_IP_PASS="1",SPP_SPF_RESULT_PASS="SGL_WHITELISTED=1",GL_DATABASE="@PKG_SYSCONFDIR@/control/greylist/database",GL_VERBOSE="1",QMAILQUEUE="@PREFIX@/bin/qmail-qfilter-queue",QMAILQUEUEFILTERS="control/smtpfilters"