From 6baba59d14a481369d3e68005d91d087490da500 Mon Sep 17 00:00:00 2001 From: manu Date: Thu, 19 Sep 2013 10:54:05 +0000 Subject: Add a ffr_tls_1 option to sendmail, which enable the O CipherList option for sendmail.cf. it is required in order to remove weak ciphers, and enforce Forward Secrecy on modern MUA Usage example: O CipherList=DH@STRENGTH:HIGH:!MD5:!DES:!aNULL:!eNULL --- mail/sendmail/Makefile | 7 +++++-- mail/sendmail/files/site.config.m4-ffr_tls_1 | 4 ++++ mail/sendmail/options.mk | 9 +++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 mail/sendmail/files/site.config.m4-ffr_tls_1 diff --git a/mail/sendmail/Makefile b/mail/sendmail/Makefile index dd1375d5023..b3dabdab001 100644 --- a/mail/sendmail/Makefile +++ b/mail/sendmail/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.116 2013/07/12 10:44:58 jperkin Exp $ +# $NetBSD: Makefile,v 1.117 2013/09/19 10:54:05 manu Exp $ PKGNAME= sendmail-${DIST_VERS} -PKGREVISION= 1 +PKGREVISION= 2 COMMENT= The well known Mail Transport Agent CONFLICTS+= courier-mta-[0-9]* fastforward>=0.51nb2 postfix-[0-9]* @@ -67,6 +67,9 @@ post-patch: make-sendmail-siteconfig .if !empty(PKG_OPTIONS:Mtls) cat ${FILESDIR}/site.config.m4-starttls >>${SITECONFIG} .endif +.if !empty(PKG_OPTIONS:Mffr_tls_1) + cat ${FILESDIR}/site.config.m4-ffr_tls_1 >>${SITECONFIG} +.endif .if !empty(PKG_OPTIONS:Msasl) cat ${FILESDIR}/site.config.m4-sasl2 >>${SITECONFIG} .endif diff --git a/mail/sendmail/files/site.config.m4-ffr_tls_1 b/mail/sendmail/files/site.config.m4-ffr_tls_1 new file mode 100644 index 00000000000..0d2ec4f6cde --- /dev/null +++ b/mail/sendmail/files/site.config.m4-ffr_tls_1 @@ -0,0 +1,4 @@ +# $NetBSD: site.config.m4-ffr_tls_1,v 1.1 2013/09/19 10:54:05 manu Exp $ + +# enable _FFR_TLS_1 +APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_TLS_1') diff --git a/mail/sendmail/options.mk b/mail/sendmail/options.mk index 26e36ec3104..4205b114017 100644 --- a/mail/sendmail/options.mk +++ b/mail/sendmail/options.mk @@ -1,7 +1,7 @@ -# $NetBSD: options.mk,v 1.19 2012/12/28 05:27:06 jnemeth Exp $ +# $NetBSD: options.mk,v 1.20 2013/09/19 10:54:05 manu Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.sendmail -PKG_SUPPORTED_OPTIONS= inet6 db2 ldap sasl tls tcpwrappers +PKG_SUPPORTED_OPTIONS= inet6 db2 ldap sasl tls tcpwrappers ffr_tls_1 PKG_SUGGESTED_OPTIONS= inet6 tcpwrappers PKG_OPTIONS_LEGACY_OPTS+= starttls:tls @@ -36,6 +36,11 @@ PKG_OPTIONS_LEGACY_OPTS+= starttls:tls . include "../../security/openssl/buildlink3.mk" .endif +### +### 'For Future Release' FFR_TLS_1 options: CipherList, multiple certs +### +# Nothing to do here, activation is done in Makefile + ### ### Use tcpwrappers for network access control to sendmail ### -- cgit v1.2.3