diff options
Diffstat (limited to 'debian/local/update_tls.in')
| -rw-r--r-- | debian/local/update_tls.in | 305 |
1 files changed, 305 insertions, 0 deletions
diff --git a/debian/local/update_tls.in b/debian/local/update_tls.in new file mode 100644 index 0000000..7d833fe --- /dev/null +++ b/debian/local/update_tls.in @@ -0,0 +1,305 @@ +#!/bin/sh -e +#----------------------------------------------------------------------------- +# +# $Sendmail: update_tls,v @sm_version@ @sm_date@ @sm_time@ cowboy Exp $ +# +# Sendmail support for TLS +# +# Copyright (c) 2000-@SM_CPYRT@ Richard Nelson. All Rights Reserved. +# +# Notes: +# +#----------------------------------------------------------------------------- +set -e; + +#------------------------------------------------------------------------------ +# Local variables +#--------------------------------------------------------------------------- +HOSTNAME=`hostname -s`; +DOMAINNAME=`hostname -d`; +SSL_FQDN=`hostname -f`; +SSL_EMAIL="admin@${SSL_FQDN}"; +export SSL_FQDN SSL_EMAIL; +PROGRAM='sendmail'; +CERT_DIR="@sysconfdir@/ssl/certs"; +COM_PRM="@sysconfdir@/mail/tls/$PROGRAM-common.prm"; +COM_KEY="@sysconfdir@/mail/tls/$PROGRAM-common.key"; +MTA_CFG="@sysconfdir@/mail/tls/$PROGRAM-server.cfg"; +MTA_CSR="@sysconfdir@/mail/tls/$PROGRAM-server.csr"; +MTA_CRT="@sysconfdir@/mail/tls/$PROGRAM-server.crt"; +MSP_CFG="@sysconfdir@/mail/tls/$PROGRAM-client.cfg"; +MSP_CSR="@sysconfdir@/mail/tls/$PROGRAM-client.csr"; +MSP_CRT="@sysconfdir@/mail/tls/$PROGRAM-client.crt"; +NEW=0; +REFD=0; + +#--------------------------------------------------------------------------- +# create_config: Function to create openssl configuration file +#--------------------------------------------------------------------------- +create_config () { +cat >$MTA_CFG <<EOT +[ ca ] +default_days = 365 +x509_extensions = X509v3 +[ req ] +default_bits = 1024 +distinguished_name = req_DN +[ req_DN ] +countryName = "1. Country Name (2 letter code)" +countryName_min = 2 +countryName_max = 2 +countryName_default = +stateOrProvinceName = "2. State or Province Name (full name) " +stateOrProvinceName_default = +localityName = "3. Locality Name (eg, city) " +localityName_default = +0.organizationName = "4. Organization Name (eg, company) " +0.organizationName_default = Sendmail +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +organizationalUnitName_default = Sendmail Server +commonName = "6. Common Name (MUST==FQDN) " +commonName_max = 64 +commonName_default = \$ENV::SSL_FQDN +emailAddress = "7. Email Address (eg, name@FQDN)" +emailAddress_max = 40 +emailAddress_default = \$ENV::SSL_EMAIL +[ x509v3 ] +subjectAltName = email:copy +issuerAltName = issuer:copy +basicConstraints = CA:false +nsComment = "Sendmail generated custom certificate" +nsCertType = server +nsSslServerName = \$ENV::SSL_FQDN +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +EOT +}; + + +#--------------------------------------------------------------------------- +# Check if OpenSSL is installed +if [ ! -d "$CERT_DIR" ]; then + cat <<-EOT + + OpenSSL is not installed, will not configure sendmail support for it. + + to install openssl, get openssl. + + To enable sendmail TLS support at a later date, invoke "$0" + + EOT + exit 0; + fi; + +echo ' '; +echo 'Creating/Updating SSL(for TLS) information'; + + +#--------------------------------------------------------------------------- +# Process arguments +#--------------------------------------------------------------------------- +case "$1" in + [Nn][Ee][Ww]*) + echo 'Removing any pre-existing sendmail certificates.'; + if [ -x @bindir@/openssl ]; then + if [ -f $MTA_CRT ]; then + LINK="$CERT_DIR/"$(openssl x509 -noout -hash < $MTA_CRT)".0"; + rm -f $LINK 2>/dev/null; + fi; + if [ -f $MSP_CRT ]; then + LINK="$CERT_DIR/"$(openssl x509 -noout -hash < $MSP_CRT)".0"; + rm -f $LINK 2>/dev/null; + fi; + fi; + rm -f $MTA_CSR $MTA_CRT 2>/dev/null; + rm -f $MSP_CSR $MSP_CRT 2>/dev/null; + rm -f $COM_PRM $COM_KEY 2>/dev/null; + ;; + esac + +#--------------------------------------------------------------------------- +# Make sure sendmail.mc points to proper /etc/mail/tls/starttls.m4 +if [ -f @sysconfdir@/mail/sendmail.mc ]; then + if (grep -qEe "^[[:space:]]*include\(\`?@sysconfdir@/mail/starttls.m4" \ + @sysconfdir@/mail/sendmail.mc); then + sed -e "s=^\([[:space:]]*\)\(\`\?\)include(\`\?@sysconfdir@/mail/starttls.m4'\?)\(dnl\)\?=\1\2include(\`@sysconfdir@/mail/tls/starttls.m4')dnl=g" \ + @sysconfdir@/mail/sendmail.mc > @sysconfdir@/mail/sendmail.mc.new; + chown root:smmsp @sysconfdir@/mail/sendmail.mc.new; + chmod 0644 @sysconfdir@/mail/sendmail.mc.new; + mv @sysconfdir@/mail/sendmail.mc.new @sysconfdir@/mail/sendmail.mc; + fi; + fi; +if [ -f @sysconfdir@/mail/submit.mc ]; then + if (grep -qEe "^[[:space:]]*include\(\`?@sysconfdir@/mail/starttls.m4" \ + @sysconfdir@/mail/submit.mc); then + sed -e "s=^\([[:space:]]*\)\(\`\?\)include(\`\?@sysconfdir@/mail/starttls.m4'\?)\(dnl\)\?=\1\2include(\`@sysconfdir@/mail/tls/starttls.m4')dnl=g" \ + @sysconfdir@/mail/submit.mc > @sysconfdir@/mail/submit.mc.new; + chown root:smmsp @sysconfdir@/mail/submit.mc.new; + chmod 0644 @sysconfdir@/mail/submit.mc.new; + mv @sysconfdir@/mail/submit.mc.new @sysconfdir@/mail/submit.mc; + fi; + fi; + +#--------------------------------------------------------------------------- +# check for references to starttls.m4 in sendmail.mc +if [ -f @sysconfdir@/mail/sendmail.mc ]; then + if grep -qEe "^[[:space:]]*include\(\`?@sysconfdir@/mail/tls/starttls.m4" \ + @sysconfdir@/mail/sendmail.mc; then + REFD=1; + fi; + fi; + +#--------------------------------------------------------------------------- +# Make sure prototype /etc/mail/tls/starttls.m4 exists +if [ -L @sysconfdir@/mail/starttls.m4 ]; then + rm @sysconfdir@/mail/starttls.m4; + fi; +if [ -f @sysconfdir@/mail/starttls.m4 ]; then + mv @sysconfdir@/mail/starttls.m4 @sysconfdir@/mail/tls/starttls.m4; + fi; +if [ ! -f @sysconfdir@/mail/tls/starttls.m4 ]; then + NEW=1; + cp -a @datadir@/sendmail/cf/debian/starttls.m4 \ + @sysconfdir@/mail/tls/starttls.m4; + echo ' '; + echo 'Created template file @sysconfdir@/mail/tls/starttls.m4'; + echo 'Edit this file if you wish to change the default tls setup.'; + fi; + +#--------------------------------------------------------------------------- +# check for SSL +if [ -d "$CERT_DIR" ]; then + if [ -f $MTA_CRT -a -f $MSP_CRT ]; then + echo 'You already have sendmail certificates'; + echo ' '; + chown root:smmsp $COM_KEY; + chown root:smmsp $MTA_CRT; + chown root:smmsp $MSP_CRT; + else + if [ -x @bindir@/openssl ]; then + yn="Y"; + else + cat <<-EOT + $PROGRAM needs openssl (not installed) to create a + certificate to validate users + + If you don't need a certificate, say No + If you want a certificate, install openssl and say Yes + + Do you wish to create a certificate? + EOT + read yn; + yn=$(echo -n "$yn" | sed -e "s/^\ *//" -e "s/^\t*//"); + test -n "$yn" || yn="N"; + fi; + + # Create new (self-signed) certificate + case "$yn" in + [Yy]*) + echo "Creating SSL certificates for sendmail."; + # Create prompt file + if [ ! -f @sysconfdir@/mail/tls/no_prompt ]; then + cat >@sysconfdir@/mail/tls/no_prompt <<-EOT + + + + + + + + EOT + fi; + + # Create config files + if [ ! -f $MTA_CFG ]; then + create_config; + chmod 0600 $MTA_CFG; + fi; + if [ ! -f $MSP_CFG ]; then + sed -e "s/Sendmail Server/Sendmail Client/" \ + $MTA_CFG > $MSP_CFG; + chmod 0600 $MSP_CFG; + fi; + # Create shared DSA/DH password parameters + # Skip this for now... + if [ ! -f $COM_PRM ]; then + #openssl dsaparam 1024 -out $COM_PRM; + #openssl dhparam -dsaparam -in $COM_PRM >> $COM_PRM; + touch $COM_PRM; + chmod 0600 $COM_PRM; + fi; + # Create shared DSA/RSA key (RSA preferred for browser support) + if [ ! -f $COM_KEY ]; then + openssl genrsa -out $COM_KEY 1024; + #openssl gendsa -out $COM_KEY $COM_PRM; + chown root:smmsp $COM_KEY; + chmod 0640 $COM_KEY; + fi; + # sendmail requires that CN=fqdn + # Prompts: 1) Country Name (2 letter code) + # 2) State or Province Name + # 3) Locality Name (eg, city) + # 4) Organization Name (eg, company) + # 5) Organizational Unit Name (eg, section) + # 6) Common Name (eg, YOUR name) + # 7) Email Address + if [ ! -f $MTA_CRT ]; then + openssl req -new -config $MTA_CFG -key $COM_KEY \ + -out $MTA_CSR \ + <@sysconfdir@/mail/tls/no_prompt >/dev/null 2>&1; + chmod 0600 $MTA_CSR; + openssl x509 -req -extfile $MTA_CFG \ + -signkey $COM_KEY -in $MTA_CSR \ + -out $MTA_CRT -days 365 \ + >/dev/null 2>&1; + chown root:smmsp $MTA_CRT; + chmod 0644 $MTA_CRT; + fi; + if [ ! -f $MSP_CRT ]; then + openssl req -new -config $MSP_CFG -key $COM_KEY \ + -out $MSP_CSR \ + <@sysconfdir@/mail/tls/no_prompt >/dev/null 2>&1; + chmod 0600 $MSP_CSR; + openssl x509 -req -extfile $MSP_CFG \ + -signkey $COM_KEY -in $MSP_CSR \ + -out $MSP_CRT -days 365 \ + >/dev/null 2>&1; + chown root:smmsp $MSP_CRT; + chmod 0644 $MSP_CRT; + fi; + esac; + fi; + + # Create hash link for new certificate (must do msp last!) + if [ -f $MTA_CRT ]; then + LINK="$CERT_DIR/"$(openssl x509 -noout -hash < $MTA_CRT)".0"; + if [ ! -f $LINK ]; then + ln -sf $MTA_CRT $LINK; + fi; + fi; + if [ -f $MSP_CRT ]; then + LINK="$CERT_DIR/"$(openssl x509 -noout -hash < $MSP_CRT)".0"; + if [ ! -f $LINK ]; then + ln -sf $MSP_CRT $LINK; + fi; + fi; + fi; + +if [ $REFD -eq 0 ]; then + cat <<-EOT + + *** *** *** WARNING *** WARNING *** WARNING *** WARNING *** *** *** + + Everything you need to support STARTTLS (encrypted mail transmission + and user authentication via certificates) is installed and configured + but *IS* not being used. + + To enable sendmail to use STARTTLS, you need to: + 1) Add this line to @sysconfdir@/mail/sendmail.mc and optionally + to @sysconfdir@/mail/submit.mc: + include(\`@sysconfdir@/mail/tls/starttls.m4')dnl + 2) Run sendmailconfig + 3) Restart sendmail + + EOT + fi; |