[pkgsrc/trunk]: pkgsrc/mail/qmail-run Bump acceptutils dependency to get STAR...

[schmonz <schmonz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/b88dd6688aa2
branches:  trunk
changeset: 314785:b88dd6688aa2
user:      schmonz <schmonz%pkgsrc.org@localhost>
date:      Thu Nov 08 20:57:28 2018 +0000

description:
Bump acceptutils dependency to get STARTTLS support in fixsmtpio(8)
(obviating the need for qmail-smtpd(8) to be patched to link OpenSSL).

Make TLS configurable for submission, POP3, and now also incoming SMTP:

- "yes"  (startup will fail if cert or DH params are missing)
- "no"   (even if they're present, don't offer TLS)
- "auto" (the default: offer TLS iff they're present)

Mention TLS setup in MESSAGE.

Delay SMTP greeting by 2 seconds. Enable zen.spamhaus.org RBL.

Bump version.

diffstat:

 mail/qmail-run/MESSAGE              |   7 ++++-
 mail/qmail-run/Makefile             |   7 +++--
 mail/qmail-run/files/fixsmtpio      |   6 +----
 mail/qmail-run/files/qmailofmipd.sh |  35 ++++++++++++++++++++++++----
 mail/qmail-run/files/qmailpop3d.sh  |  35 ++++++++++++++++++++++++----
 mail/qmail-run/files/qmailsmtpd.sh  |  46 +++++++++++++++++++++++++++++-------
 mail/qmail-run/files/tcp.ofmip      |   2 +-
 mail/qmail-run/files/tcp.smtp       |   2 +-
 8 files changed, 109 insertions(+), 31 deletions(-)

diffs (truncated from 321 to 300 lines):

diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/MESSAGE
--- a/mail/qmail-run/MESSAGE    Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/MESSAGE    Thu Nov 08 20:57:28 2018 +0000
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.11 2018/10/28 15:01:57 schmonz Exp $
+$NetBSD: MESSAGE,v 1.12 2018/11/08 20:57:28 schmonz Exp $
 
 Please read ${PREFIX}/share/doc/qmail-run/README.pkgsrc.
 
@@ -19,7 +19,7 @@
 - Optionally list qmail-rcptcheck programs in control/rcptchecks.
 - Optionally list qmail-qfilter programs in control/smtpfilters.
 
-Outgoing submissions with SMTP AUTH over TLS:
+Outgoing authentication-only submission:
 - Set qmailofmipd=YES in /etc/rc.conf.
 - Optionally list qmail-qfilter programs in control/ofmipfilters.
 
@@ -29,4 +29,7 @@
 Fetching Maildirs via POP3:
 - Set qmailpop3d=YES in /etc/rc.conf.
 
+TLS for incoming and outgoing SMTP, submission, and POP3:
+- Create cert and DH params as instructed by the qmail package.
+
 ===========================================================================
diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/Makefile
--- a/mail/qmail-run/Makefile   Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/Makefile   Thu Nov 08 20:57:28 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.54 2018/11/03 17:08:26 schmonz Exp $
+# $NetBSD: Makefile,v 1.55 2018/11/08 20:57:28 schmonz Exp $
 #
 
-DISTNAME=              qmail-run-20181103
+DISTNAME=              qmail-run-20181108
 CATEGORIES=            mail
 MASTER_SITES=          # empty
 DISTFILES=             # empty
@@ -10,10 +10,11 @@
 COMMENT=               Configures qmail to receive and deliver mail
 LICENSE=               2-clause-bsd
 
+DEPENDS+=              greetdelay-[0-9]*:../../mail/greetdelay
 DEPENDS+=              pkg_alternatives-[0-9]*:../../pkgtools/pkg_alternatives
 DEPENDS_QMAIL=         qmail>=1.03nb36:../../mail/qmail
 DEPENDS+=              ${DEPENDS_QMAIL}
-DEPENDS+=              qmail-acceptutils>=20181027:../../mail/qmail-acceptutils
+DEPENDS+=              qmail-acceptutils>=20181108:../../mail/qmail-acceptutils
 DEPENDS+=              qmail-qfilter>1.5nb1:../../mail/qmail-qfilter
 DEPENDS+=              qmail-rejectutils-[0-9]*:../../mail/qmail-rejectutils
 
diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/files/fixsmtpio
--- a/mail/qmail-run/files/fixsmtpio    Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/files/fixsmtpio    Thu Nov 08 20:57:28 2018 +0000
@@ -30,10 +30,6 @@
 # If server times out, hide message, and tell authup to stop trying
 AUTHUP_USER:timeout::*:16:
 
-# Don't permit server to advertise further AUTH or STARTTLS
+# Don't permit server to advertise or respond to further AUTH
 AUTHUP_USER:ehlo::250?AUTH*::
-AUTHUP_USER:ehlo::250?STARTTLS::
-
-# Don't permit client to initiate further AUTH or STARTTLS
 AUTHUP_USER:auth:NOOP :*::502 unimplemented (#5.5.1)
-AUTHUP_USER:starttls:NOOP :*::502 unimplemented (#5.5.1)
diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/files/qmailofmipd.sh
--- a/mail/qmail-run/files/qmailofmipd.sh       Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/files/qmailofmipd.sh       Thu Nov 08 20:57:28 2018 +0000
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailofmipd.sh,v 1.14 2018/11/03 17:08:26 schmonz Exp $
+# $NetBSD: qmailofmipd.sh,v 1.15 2018/11/08 20:57:28 schmonz Exp $
 #
 # @PKGNAME@ script to control ofmipd (SMTP submission service).
 #
@@ -11,7 +11,7 @@
 name="qmailofmipd"
 
 # User-settable rc.conf variables and their default values:
-: ${qmailofmipd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) DHFILE=@PKG_SYSCONFDIR@/control/dh2048.pem CERTFILE=@PKG_SYSCONFDIR@/control/servercert.pem"}
+: ${qmailofmipd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"}
 : ${qmailofmipd_tcpflags:="-ne -vRl0"}
 : ${qmailofmipd_tcphost:="0.0.0.0"}
 : ${qmailofmipd_tcpport:="587"}
@@ -25,15 +25,16 @@
 : ${qmailofmipd_log:="YES"}
 : ${qmailofmipd_logcmd:="logger -t nbqmail/ofmipd -p mail.info"}
 : ${qmailofmipd_nologcmd:="@PREFIX@/bin/multilog -*"}
+: ${qmailofmipd_tls:="auto"}
+: ${qmailofmipd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
+: ${qmailofmipd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
 
 if [ -f /etc/rc.subr ]; then
        . /etc/rc.subr
 fi
 
 rcvar=${name}
-required_files="@PKG_SYSCONFDIR@/control/dh2048.pem"
-required_files="${required_files} @PKG_SYSCONFDIR@/control/servercert.pem"
-required_files="${required_files} @PKG_SYSCONFDIR@/control/me"
+required_files="@PKG_SYSCONFDIR@/control/me"
 required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencysubmission"
 required_files="${required_files} @PKG_SYSCONFDIR@/control/rcpthosts"
 required_files="${required_files} @PKG_SYSCONFDIR@/control/smtpcapabilities"
@@ -49,11 +50,35 @@
 cdb_cmd="qmailofmipd_cdb"
 reload_cmd=${cdb_cmd}
 
+qmailofmipd_configure_tls() {
+       if [ "auto" = "${qmailofmipd_tls}" ]; then
+               if [ -f "${qmailofmipd_tls_dhparams}" ] && [ -f "${qmailofmipd_tls_cert}" ]; then
+                       qmailofmipd_enable_tls
+               else
+                       qmailofmipd_disable_tls
+               fi
+       elif [ -f /etc/rc.subr ] && checkyesno qmailofmipd_tls; then
+               qmailofmipd_enable_tls
+       else
+               qmailofmipd_disable_tls
+       fi
+}
+
+qmailofmipd_disable_tls() {
+       qmailofmipd_postenv="${qmailofmipd_postenv} DISABLETLS=1"
+}
+
+qmailofmipd_enable_tls() {
+       qmailofmipd_postenv="${qmailofmipd_postenv} DHFILE=${qmailofmipd_tls_dhparams}"
+       qmailofmipd_postenv="${qmailofmipd_postenv} CERTFILE=${qmailofmipd_tls_cert}"
+}
+
 qmailofmipd_precmd()
 {
        if [ -f /etc/rc.subr ] && ! checkyesno qmailofmipd_log; then
                qmailofmipd_logcmd=${qmailofmipd_nologcmd}
        fi
+       qmailofmipd_configure_tls
        # tcpserver(1) is akin to inetd(8), but runs one service per process.
        # We want to signal only the tcpserver process responsible for this
        # service. Use argv0(1) to set procname to "nbqmailofmipd".
diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/files/qmailpop3d.sh
--- a/mail/qmail-run/files/qmailpop3d.sh        Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/files/qmailpop3d.sh        Thu Nov 08 20:57:28 2018 +0000
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailpop3d.sh,v 1.23 2018/11/03 17:08:26 schmonz Exp $
+# $NetBSD: qmailpop3d.sh,v 1.24 2018/11/08 20:57:28 schmonz Exp $
 #
 # @PKGNAME@ script to control qmail-pop3d (POP3 server for Maildirs).
 #
@@ -10,7 +10,7 @@
 name="qmailpop3d"
 
 # User-settable rc.conf variables and their default values:
-: ${qmailpop3d_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@) DHFILE=@PKG_SYSCONFDIR@/control/dh2048.pem CERTFILE=@PKG_SYSCONFDIR@/control/servercert.pem"}
+: ${qmailpop3d_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"}
 : ${qmailpop3d_tcpflags:="-ne -vRl0"}
 : ${qmailpop3d_tcphost:="0.0.0.0"}
 : ${qmailpop3d_tcpport:="110"}
@@ -24,15 +24,16 @@
 : ${qmailpop3d_log:="YES"}
 : ${qmailpop3d_logcmd:="logger -t nbqmail/pop3d -p mail.info"}
 : ${qmailpop3d_nologcmd:="@PREFIX@/bin/multilog -*"}
+: ${qmailpop3d_tls:="auto"}
+: ${qmailpop3pd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
+: ${qmailpop3pd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
 
 if [ -f /etc/rc.subr ]; then
        . /etc/rc.subr
 fi
 
 rcvar=${name}
-required_files="@PKG_SYSCONFDIR@/control/dh2048.pem"
-required_files="${required_files} @PKG_SYSCONFDIR@/control/servercert.pem"
-required_files="${required_files} @PKG_SYSCONFDIR@/control/me"
+required_files="@PKG_SYSCONFDIR@/control/me"
 required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencypop3"
 required_files="${required_files} @PKG_SYSCONFDIR@/control/pop3capabilities"
 required_files="${required_files} @PKG_SYSCONFDIR@/tcp.pop3.cdb"
@@ -46,11 +47,35 @@
 cdb_cmd="qmailpop3d_cdb"
 reload_cmd=${cdb_cmd}
 
+qmailpop3d_configure_tls() {
+       if [ "auto" = "${qmailpop3d_tls}" ]; then
+               if [ -f "${qmailpop3d_tls_dhparams}" ] && [ -f "${qmailpop3d_tls_cert}" ]; then
+                       qmailpop3d_enable_tls
+               else
+                       qmailpop3d_disable_tls
+               fi
+       elif [ -f /etc/rc.subr ] && checkyesno qmailpop3d_tls; then
+               qmailpop3d_enable_tls
+       else
+               qmailpop3d_disable_tls
+       fi
+}
+
+qmailpop3d_disable_tls() {
+       qmailpop3d_postenv="${qmailpop3d_postenv} DISABLETLS=1"
+}
+
+qmailpop3d_enable_tls() {
+       qmailpop3d_postenv="${qmailpop3d_postenv} DHFILE=${qmailpop3d_tls_dhparams}"
+       qmailpop3d_postenv="${qmailpop3d_postenv} CERTFILE=${qmailpop3d_tls_cert}"
+}
+
 qmailpop3d_precmd()
 {
        if [ -f /etc/rc.subr ] && ! checkyesno qmailpop3d_log; then
                qmailpop3d_logcmd=${qmailpop3d_nologcmd}
        fi
+       qmailpop3d_configure_tls
        # tcpserver(1) is akin to inetd(8), but runs one service per process.
        # We want to signal only the tcpserver process responsible for this
        # service. Use argv0(1) to set procname to "nbqmailpop3d".
diff -r 2a42aa9f6d13 -r b88dd6688aa2 mail/qmail-run/files/qmailsmtpd.sh
--- a/mail/qmail-run/files/qmailsmtpd.sh        Thu Nov 08 20:55:01 2018 +0000
+++ b/mail/qmail-run/files/qmailsmtpd.sh        Thu Nov 08 20:57:28 2018 +0000
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: qmailsmtpd.sh,v 1.19 2018/11/03 17:08:26 schmonz Exp $
+# $NetBSD: qmailsmtpd.sh,v 1.20 2018/11/08 20:57:28 schmonz Exp $
 #
 # @PKGNAME@ script to control qmail-smtpd (SMTP service).
 #
@@ -11,28 +11,32 @@
 name="qmailsmtpd"
 
 # User-settable rc.conf variables and their default values:
-: ${qmailsmtpd_postenv:=""}
-: ${qmailsmtpd_tcpflags:="-vRl0"}
-: ${qmailsmtpd_tcphost:="0"}
+: ${qmailsmtpd_postenv:="SSL_UID=$(@ID@ -u @UCSPI_SSL_USER@) SSL_GID=$(@ID@ -g @UCSPI_SSL_GROUP@)"}
+: ${qmailsmtpd_tcpflags:="-ne -vRl0"}
+: ${qmailsmtpd_tcphost:="0.0.0.0"}
 : ${qmailsmtpd_tcpport:="25"}
-: ${qmailsmtpd_datalimit:="180000000"}
+: ${qmailsmtpd_datalimit:="360000000"}
 : ${qmailsmtpd_pretcpserver:=""}
-: ${qmailsmtpd_tcpserver:="@PREFIX@/bin/tcpserver"}
-: ${qmailsmtpd_presmtpd:=""}
+: ${qmailsmtpd_tcpserver:="@PREFIX@/bin/sslserver"}
+: ${qmailsmtpd_presmtpd:="@PREFIX@/bin/greetdelay @PREFIX@/bin/rblsmtpd -r zen.spamhaus.org @PREFIX@/bin/fixsmtpio"}
 : ${qmailsmtpd_smtpdcmd:="@PREFIX@/bin/qmail-smtpd"}
 : ${qmailsmtpd_postsmtpd:=""}
 : ${qmailsmtpd_log:="YES"}
 : ${qmailsmtpd_logcmd:="logger -t nbqmail/smtpd -p mail.info"}
 : ${qmailsmtpd_nologcmd:="@PREFIX@/bin/multilog -*"}
+: ${qmailsmtpd_tls:="auto"}
+: ${qmailsmtpd_tls_dhparams:="@PKG_SYSCONFDIR@/control/dh2048.pem"}
+: ${qmailsmtpd_tls_cert:="@PKG_SYSCONFDIR@/control/servercert.pem"}
 
 if [ -f /etc/rc.subr ]; then
        . /etc/rc.subr
 fi
 
 rcvar=${name}
-required_files="@PKG_SYSCONFDIR@/control/concurrencyincoming"
+required_files="@PKG_SYSCONFDIR@/control/me"
+required_files="${required_files} @PKG_SYSCONFDIR@/control/concurrencyincoming"
+required_files="${required_files} @PKG_SYSCONFDIR@/control/rcpthosts"
 required_files="${required_files} @PKG_SYSCONFDIR@/tcp.smtp.cdb"
-required_files="${required_files} @PKG_SYSCONFDIR@/control/rcpthosts"
 command="${qmailsmtpd_tcpserver}"
 procname=nb${name}
 start_precmd="qmailsmtpd_precmd"
@@ -43,11 +47,35 @@
 cdb_cmd="qmailsmtpd_cdb"
 reload_cmd=${cdb_cmd}
 
+qmailsmtpd_configure_tls() {
+       if [ "auto" = "${qmailsmtpd_tls}" ]; then
+               if [ -f "${qmailsmtpd_tls_dhparams}" ] && [ -f "${qmailsmtpd_tls_cert}" ]; then
+                       qmailsmtpd_enable_tls
+               else
+                       qmailsmtpd_disable_tls
+               fi
+       elif [ -f /etc/rc.subr ] && checkyesno qmailsmtpd_tls; then
+               qmailsmtpd_enable_tls
+       else
+               qmailsmtpd_disable_tls
+       fi
+}
+
+qmailsmtpd_disable_tls() {
+       qmailsmtpd_postenv="${qmailsmtpd_postenv} DISABLETLS=1"
+}
+
+qmailsmtpd_enable_tls() {
+       qmailsmtpd_postenv="${qmailsmtpd_postenv} DHFILE=${qmailsmtpd_tls_dhparams}"
+       qmailsmtpd_postenv="${qmailsmtpd_postenv} CERTFILE=${qmailsmtpd_tls_cert}"
+}
+
 qmailsmtpd_precmd()