From ebce447fcd0fdb076252604ae1d625f846d7d95f Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Jul 23 2018 21:32:56 +0000 Subject: Add basic sendmail TLS configuration by default (#1607314 #c11) --- diff --git a/sendmail-redhat.mc b/sendmail-redhat.mc index 6fb801a..dd9bc96 100644 --- a/sendmail-redhat.mc +++ b/sendmail-redhat.mc @@ -56,15 +56,14 @@ dnl # dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # -dnl # Rudimentary information on creating certificates for sendmail TLS: -dnl # cd /etc/pki/tls/certs; make sendmail.pem -dnl # Complete usage: -dnl # make -C /etc/pki/tls/certs usage -dnl # -dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl -dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl -dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl -dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl +dnl # Basic sendmail TLS configuration with self-signed certificate for +dnl # inbound SMTP (and also opportunistic TLS for outbound SMTP). +dnl # +define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl +define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl +define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl +define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl +define(`confTLS_SRV_OPTIONS', `V')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap diff --git a/sendmail.spec b/sendmail.spec index 59a1c7f..e8e4ee1 100644 --- a/sendmail.spec +++ b/sendmail.spec @@ -10,6 +10,8 @@ %global smshell /sbin/nologin %global spooldir %{_localstatedir}/spool %global maildir %{_sysconfdir}/mail +%global sslcert %{_sysconfdir}/pki/tls/certs/sendmail.pem +%global sslkey %{_sysconfdir}/pki/tls/private/sendmail.key # hardened build if not overridden %{!?_hardened_build:%global _hardened_build 1} @@ -17,7 +19,7 @@ Summary: A widely used Mail Transport Agent (MTA) Name: sendmail Version: 8.15.2 -Release: 28%{?dist} +Release: 29%{?dist} License: Sendmail Group: System Environment/Daemons URL: http://www.sendmail.org/ @@ -102,7 +104,7 @@ BuildRequires: m4 BuildRequires: systemd BuildRequires: gcc Provides: MTA smtpdaemon server(smtp) -Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives +Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives %{_bindir}/openssl Requires(preun): systemd %{_sbindir}/alternatives Requires(postun): systemd coreutils %{_sbindir}/alternatives Requires(pre): shadow-utils @@ -571,6 +573,23 @@ if [ ! -f %{spooldir}/clientmqueue/sm-client.st ]; then chmod 0660 %{spooldir}/clientmqueue/sm-client.st fi +# Create self-signed SSL certificate +if [ ! -f %{sslkey} ]; then + umask 077 + %{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null +fi + +if [ ! -f %{sslcert} ]; then + FQDN=`hostname` + if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain + fi + + %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \ + -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}" + chmod 644 %{sslcert} +fi + exit 0 %preun @@ -730,6 +749,9 @@ fi %endif %changelog +* Mon Jul 23 2018 Robert Scheck - 8.15.2-29 +- Add basic sendmail TLS configuration by default (#1607314 #c11) + * Sat Jul 14 2018 Fedora Release Engineering - 8.15.2-28 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild