update tls-install.sh

Reviewed by:	gshapiro

2 files changed, 25 insertions, 19 deletions

diff --git a/mail/sendmail/Makefile b/mail/sendmail/Makefile
index 0e67da015f50..5428aa6af268 100644
--- a/mail/sendmail/Makefile
+++ b/mail/sendmail/Makefile
@@ -225,6 +225,7 @@ ${DESTDIR}/etc/mail/submit.cf:	${DESTDIR}/etc/mail/submit.mc
 root-sasldb:
 	@${ECHO_CMD} "# Links:"
 	@${ECHO_CMD} "#"
+	@${ECHO_CMD} "# http://www.sendmail.org/~gshapiro/
 	@${ECHO_CMD} "# http://www.sendmail.org/~ca/email/auth.html"
 	@${ECHO_CMD} "# http://www.asp.ogi.edu/people/paja/linux/sendmail/"
 	@${ECHO_CMD} "# http://blue-labs.org/clue/sendmail.php"
diff --git a/mail/sendmail/files/tls-install.sh b/mail/sendmail/files/tls-install.sh
index 1157bab95c54..1efa8c570a16 100644
--- a/mail/sendmail/files/tls-install.sh
+++ b/mail/sendmail/files/tls-install.sh
@@ -1,18 +1,18 @@
 #!/bin/sh
 #
-CADIR="${CADIR-${DESTDIR}/etc/mail/certs}"
+CADIR="${CADIR-${DESTDIR}/etc/mail/certs/CA}"
 FILSEDIR="${FILESDIR-/usr/ports/mail/sendmail/files}"
 REALM=`hostname`
 
 echo "creating: ${CADIR} on ${REALM}"
-for i in certs crl newcerts private
+for i in certs crl newcerts private ../private
 do
 	if test ! -d "${CADIR}/${i}"
 	then
 		mkdir -p "${CADIR}/${i}"
 	fi
 done
-chmod 0600 "${CADIR}/private"
+chmod 0700 "${CADIR}/private" "${CADIR}/../private"
 cd "${CADIR}" || exit 65
 
 if test ! -f openssl.cnf
@@ -24,47 +24,50 @@ fi
 if test ! -f "serial"
 then
 	echo "generating: serial"
+	umask 0022
 	echo "01" > "serial"
 fi
 
 if test ! -f "index.txt"
 then
 	echo "generating: index.txt"
+	umask 0022
 	cp /dev/null "index.txt"
 fi
 
 if test ! -f "cacert.pem"
 then
 	echo "generating CA"
+	umask 0077
 	openssl req -new -x509 -config openssl.cnf \
 		-keyout private/cakey.pem \
 		-out cacert.pem
-	chmod 0600 "private/cakey.pem"
 fi
 
-if test ! -f "sendmailcert.pem"
+if test ! -f "../sendmailcert.pem"
 then
-	if test ! -f "private/sendmailkey.pem"
+	if test ! -f "../private/sendmailkey.pem"
 	then
-		echo "generating server CERT"
+		echo "creating cert signing request"
 		umask 0066
 		openssl req -nodes -new -x509 -config openssl.cnf \
-			-keyout private/sendmailkey.pem \
-			-out private/sendmailkey.pem
+			-keyout ../private/sendmailkey.pem \
+			-out ../private/sendmailkey.pem
 	fi
 	if test ! -f "newcsr.pem"
 	then
-		echo "signing CERT1"
+		echo "self signing cert"
+		umask 0066
 		openssl x509 -x509toreq \
-			-in private/sendmailkey.pem \
-			-signkey private/sendmailkey.pem \
+			-in ../private/sendmailkey.pem \
+			-signkey ../private/sendmailkey.pem \
 			-out newcsr.pem
 	fi
 	if test ! -f "sendmailcert.pem"
 	then
-		echo "signing CERT2"
+		echo "signing cert"
 		openssl ca -config openssl.cnf -policy policy_anything \
-			-out sendmailcert.pem \
+			-out ../sendmailcert.pem \
 			-infiles newcsr.pem
 		rm -f newcsr.pem
 	fi
@@ -72,16 +75,18 @@ fi
 
 sed 's/^X//' << 'END-of-files/tls.m4'
 X# links:
+X# http://www.sendmail.org/~gshapiro/
 X# http://www.sendmail.org/~ca/email/starttls.html
 X# http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml
 X#
 X# You may need to add this to your sendmail.mc file:
 X
-Xdefine(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
-Xdefine(`confCACERT_PATH', `CERT_DIR')dnl
-Xdefine(`confCACERT', `CERT_DIR/cacert.pem')dnl
-Xdefine(`confSERVER_CERT', `CERT_DIR/sendmailcert.pem')dnl
-Xdefine(`confSERVER_KEY', `CERT_DIR/private/sendmailkey.pem')dnl
+Xdefine(`confCACERT_PATH', `MAIL_SETTINGS_DIR`'certs')dnl
+Xdefine(`confCACERT', `confCACERT_PATH/CA/cacert.pem')dnl
+Xdefine(`confSERVER_CERT', `confCACERT_PATH/sendmailcert.pem')dnl
+Xdefine(`confSERVER_KEY', `confCACERT_PATH/private/sendmailkey.pem')dnl
+Xdefine(`confCLIENT_CERT', `confCACERT_PATH/sendmailcert.pem')dnl
+Xdefine(`confCLIENT_KEY', `confCACERT_PATH/private/sendmailkey.pem')dnl
 X
 END-of-files/tls.m4
 exit