diff options
Diffstat (limited to 'debian/local/update_tls.in')
| -rw-r--r-- | debian/local/update_tls.in | 58 |
1 files changed, 36 insertions, 22 deletions
diff --git a/debian/local/update_tls.in b/debian/local/update_tls.in index 7d833fe..ea7345d 100644 --- a/debian/local/update_tls.in +++ b/debian/local/update_tls.in @@ -17,8 +17,9 @@ set -e; #--------------------------------------------------------------------------- HOSTNAME=`hostname -s`; DOMAINNAME=`hostname -d`; +MAILNAME=`cat /etc/mailname 2> /dev/null || hostname -f`; SSL_FQDN=`hostname -f`; -SSL_EMAIL="admin@${SSL_FQDN}"; +SSL_EMAIL="admin@${MAILNAME}"; export SSL_FQDN SSL_EMAIL; PROGRAM='sendmail'; CERT_DIR="@sysconfdir@/ssl/certs"; @@ -33,13 +34,34 @@ MSP_CRT="@sysconfdir@/mail/tls/$PROGRAM-client.crt"; NEW=0; REFD=0; +# Path to other sendmail helpers +if [ -x ./update_sendmail ]; then + sm_path='.'; +elif [ -x $(dirname $0)/update_sendmail ]; then + sm_path=$(dirname $0); +else + sm_path=@datadir@/sendmail; + fi; +# Bring in sendmail.conf for the network definitions +if [ ! -f @sysconfdir@/mail/sendmail.conf ]; then + if [ -x $sm_path/update_conf ]; then + $sm_path/update_conf; + fi; + fi; +if [ -f @sysconfdir@/mail/sendmail.conf ]; then + . @sysconfdir@/mail/sendmail.conf; + fi; +if [ "$HANDS_OFF" != 'No' ]; then + exit 0; + fi; + #--------------------------------------------------------------------------- # create_config: Function to create openssl configuration file #--------------------------------------------------------------------------- create_config () { cat >$MTA_CFG <<EOT [ ca ] -default_days = 365 +default_days = 3650 x509_extensions = X509v3 [ req ] default_bits = 1024 @@ -99,7 +121,9 @@ echo 'Creating/Updating SSL(for TLS) information'; # Process arguments #--------------------------------------------------------------------------- case "$1" in - [Nn][Ee][Ww]*) + [Nn][Ee][Ww]* | \ + [Rr][Ee][Nn][Ee][Ww]* | \ + [Rr][Ee][Ss][Ii][Nn][Gg]*) echo 'Removing any pre-existing sendmail certificates.'; if [ -x @bindir@/openssl ]; then if [ -f $MTA_CRT ]; then @@ -151,25 +175,15 @@ if [ -f @sysconfdir@/mail/sendmail.mc ]; then #--------------------------------------------------------------------------- # Make sure prototype /etc/mail/tls/starttls.m4 exists -if [ -L @sysconfdir@/mail/starttls.m4 ]; then - rm @sysconfdir@/mail/starttls.m4; - fi; -if [ -f @sysconfdir@/mail/starttls.m4 ]; then - mv @sysconfdir@/mail/starttls.m4 @sysconfdir@/mail/tls/starttls.m4; - fi; -if [ ! -f @sysconfdir@/mail/tls/starttls.m4 ]; then - NEW=1; - cp -a @datadir@/sendmail/cf/debian/starttls.m4 \ - @sysconfdir@/mail/tls/starttls.m4; - echo ' '; - echo 'Created template file @sysconfdir@/mail/tls/starttls.m4'; - echo 'Edit this file if you wish to change the default tls setup.'; - fi; +mkdir -p @sysconfdir@/mail/tls 2>/dev/null; +chown smmta:smmsp @sysconfdir@/mail/tls; +chmod 0755 @sysconfdir@/mail/tls; +$sm_path/update_tlsm4 || true; #--------------------------------------------------------------------------- # check for SSL if [ -d "$CERT_DIR" ]; then - if [ -f $MTA_CRT -a -f $MSP_CRT ]; then + if [ -f $MTA_CRT ] && [ -f $MSP_CRT ]; then echo 'You already have sendmail certificates'; echo ' '; chown root:smmsp $COM_KEY; @@ -223,14 +237,14 @@ if [ -d "$CERT_DIR" ]; then # Create shared DSA/DH password parameters # Skip this for now... if [ ! -f $COM_PRM ]; then - #openssl dsaparam 1024 -out $COM_PRM; + #openssl dsaparam 2048 -out $COM_PRM; #openssl dhparam -dsaparam -in $COM_PRM >> $COM_PRM; touch $COM_PRM; chmod 0600 $COM_PRM; fi; # Create shared DSA/RSA key (RSA preferred for browser support) if [ ! -f $COM_KEY ]; then - openssl genrsa -out $COM_KEY 1024; + openssl genrsa -out $COM_KEY 2048; #openssl gendsa -out $COM_KEY $COM_PRM; chown root:smmsp $COM_KEY; chmod 0640 $COM_KEY; @@ -250,7 +264,7 @@ if [ -d "$CERT_DIR" ]; then chmod 0600 $MTA_CSR; openssl x509 -req -extfile $MTA_CFG \ -signkey $COM_KEY -in $MTA_CSR \ - -out $MTA_CRT -days 365 \ + -out $MTA_CRT -days 3650 \ >/dev/null 2>&1; chown root:smmsp $MTA_CRT; chmod 0644 $MTA_CRT; @@ -262,7 +276,7 @@ if [ -d "$CERT_DIR" ]; then chmod 0600 $MSP_CSR; openssl x509 -req -extfile $MSP_CFG \ -signkey $COM_KEY -in $MSP_CSR \ - -out $MSP_CRT -days 365 \ + -out $MSP_CRT -days 3650 \ >/dev/null 2>&1; chown root:smmsp $MSP_CRT; chmod 0644 $MSP_CRT; |