Add basic sendmail TLS configuration by default (#1607314 #c11)

2018-07-23 23:32:56 +02:00 · 2018-07-23 23:32:56 +02:00 · ebce447fcd
parent 9a6798d79e
commit ebce447fcd
2 changed files with 31 additions and 10 deletions
--- a/sendmail-redhat.mc
+++ b/sendmail-redhat.mc
@ -56,15 +56,14 @@ dnl #
 dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 dnl #
-dnl # Rudimentary information on creating certificates for sendmail TLS:
-dnl #     cd /etc/pki/tls/certs; make sendmail.pem
-dnl # Complete usage:
-dnl #     make -C /etc/pki/tls/certs usage
+dnl # Basic sendmail TLS configuration with self-signed certificate for
+dnl # inbound SMTP (and also opportunistic TLS for outbound SMTP).
 dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl
+define(`confTLS_SRV_OPTIONS', `V')dnl
 dnl #
 dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
 dnl # slapd, which requires the file to be readble by group ldap
--- a/sendmail.spec
+++ b/sendmail.spec
@ -10,6 +10,8 @@
 %global smshell /sbin/nologin
 %global spooldir %{_localstatedir}/spool
 %global maildir %{_sysconfdir}/mail
+%global sslcert %{_sysconfdir}/pki/tls/certs/sendmail.pem
+%global sslkey %{_sysconfdir}/pki/tls/private/sendmail.key

 # hardened build if not overridden
 %{!?_hardened_build:%global _hardened_build 1}
@ -17,7 +19,7 @@
 Summary: A widely used Mail Transport Agent (MTA)
 Name: sendmail
 Version: 8.15.2
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: Sendmail
 Group: System Environment/Daemons
 URL: http://www.sendmail.org/
@ -102,7 +104,7 @@ BuildRequires: m4
 BuildRequires: systemd
 BuildRequires: gcc
 Provides: MTA smtpdaemon server(smtp)
-Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives
+Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives %{_bindir}/openssl
 Requires(preun): systemd %{_sbindir}/alternatives
 Requires(postun): systemd coreutils %{_sbindir}/alternatives
 Requires(pre): shadow-utils
@ -571,6 +573,23 @@ if [ ! -f %{spooldir}/clientmqueue/sm-client.st ]; then
 	chmod 0660 %{spooldir}/clientmqueue/sm-client.st
 fi

+# Create self-signed SSL certificate
+if [ ! -f %{sslkey} ]; then
+  umask 077
+  %{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null
+fi
+
+if [ ! -f %{sslcert} ]; then
+  FQDN=`hostname`
+  if [ "x${FQDN}" = "x" ]; then
+    FQDN=localhost.localdomain
+  fi
+
+  %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
+    -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
+  chmod 644 %{sslcert}
+fi
+
 exit 0

 %preun
@ -730,6 +749,9 @@ fi
 %endif

 %changelog
+* Mon Jul 23 2018 Robert Scheck <robert@fedoraproject.org> - 8.15.2-29
+- Add basic sendmail TLS configuration by default (#1607314 #c11)
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-28
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild