[pkgsrc/trunk]: pkgsrc/mail/qmail Improve TLS setup instructions. Bump PKGREV...

[schmonz <schmonz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/5e18dcf8f6c4
branches:  trunk
changeset: 444931:5e18dcf8f6c4
user:      schmonz <schmonz%pkgsrc.org@localhost>
date:      Thu Jan 14 15:25:22 2021 +0000

description:
Improve TLS setup instructions. Bump PKGREVISION.

diffstat:

 mail/qmail/Makefile            |   4 ++--
 mail/qmail/files/README.pkgsrc |   4 ++--
 mail/qmail/files/README.tls    |  39 ++++++++++++++++++++++-----------------
 mail/qmail/options.mk          |   4 ++--
 4 files changed, 28 insertions(+), 23 deletions(-)

diffs (113 lines):

diff -r f0cb8109ce83 -r 5e18dcf8f6c4 mail/qmail/Makefile
--- a/mail/qmail/Makefile       Thu Jan 14 15:09:32 2021 +0000
+++ b/mail/qmail/Makefile       Thu Jan 14 15:25:22 2021 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.123 2020/11/19 09:35:42 schmonz Exp $
+# $NetBSD: Makefile,v 1.124 2021/01/14 15:25:22 schmonz Exp $
 #
 
 DISTNAME=              notqmail-1.08
 PKGNAME=               qmail-1.03
-PKGREVISION=           49
+PKGREVISION=           50
 CATEGORIES=            mail
 MASTER_SITES=          ${MASTER_SITE_GITHUB:=notqmail/}
 GITHUB_PROJECT=                notqmail
diff -r f0cb8109ce83 -r 5e18dcf8f6c4 mail/qmail/files/README.pkgsrc
--- a/mail/qmail/files/README.pkgsrc    Thu Jan 14 15:09:32 2021 +0000
+++ b/mail/qmail/files/README.pkgsrc    Thu Jan 14 15:25:22 2021 +0000
@@ -12,7 +12,7 @@
  Getting help
  ============
 
-You've installed an automated and customized qmail package. If
+You've installed an automated and customized notqmail package. If
 you're having trouble with it, ask the package's maintainer:
 
 <URL:mailto:schmonz-pkgsrc-qmail%schmonz.com@localhost>
@@ -29,7 +29,7 @@
 
 * that you installed @PKGNAME@ from pkgsrc,
 * the output of "@PKG_INFO@ -B @PKGNAME@ | @GREP@ ^QMAIL", and
-* how you're running (or trying to run) the qmail daemons.
+* how you're running (or trying to run) the notqmail daemons.
 
 If you can first reproduce your problem on a manual LWQ-style
 installation, your request for help is likely to be better received.
diff -r f0cb8109ce83 -r 5e18dcf8f6c4 mail/qmail/files/README.tls
--- a/mail/qmail/files/README.tls       Thu Jan 14 15:09:32 2021 +0000
+++ b/mail/qmail/files/README.tls       Thu Jan 14 15:25:22 2021 +0000
@@ -1,32 +1,37 @@
  Configuring TLS
  ===============
 
-You've applied a Transport Layer Security patch to your qmail installation.
-It is documented more fully by its author here:
+notqmail does not yet ship with native support for TLS encryption. This
+notqmail package enables outbound TLS via a patch:
 
 <URL:https://schmonz.com/qmail/tlsonlyremote/>
 
+To enable TLS for incoming mail, message submission, and POP3, install
+the qmail-run package. It includes these add-on programs:
 
-For qmail to opportunistically encrypt incoming mail, and to require
-encryption before authentication for submitted messages, first obtain a
-certificate (e.g., from Let's Encrypt), make it available as
-@SERVERCERT@, and apply these permissions:
+<URL:https://schmonz.com/qmail/acceptutils/>
+
+With qmail-run installed, follow these steps:
 
-# chmod 640 @SERVERCERT@
-# chown @QMAIL_DAEMON_USER@:@QMAIL_QMAIL_GROUP@ @SERVERCERT@
+1. Obtain a certificate (e.g., from Let's Encrypt), make it available as
+   @SERVERCERT@, and apply these permissions:
 
-Generate DH params:
+    # chown @QMAIL_DAEMON_USER@:@QMAIL_QMAIL_GROUP@ @SERVERCERT@
+    # chmod 640 @SERVERCERT@
 
-# update_tmprsadh
+2. If your cert's private key is in a separate file, make it available as
+   @SERVERKEY@ (same permissions).
 
-Have cron(8) regularly regenerate them:
+3. Use the same cert for your server's connections to other servers:
 
-    01 01 * * * @PREFIX@/bin/update_tmprsadh > /dev/null 2>&1
+    # ln -s @SERVERCERT@ \
+        @CLIENTCERT@
 
-Then install the qmail-run package and use its qmailsmtpd and
-qmailofmipd rc.d scripts.
+4. Generate initial Diffie-Hellman parameters:
+
+    # @PREFIX@/bin/update_tmprsadh
 
-For qmail to opportunistically encrypt outgoing mail, use the same
-certificate:
+5. Arrange for update_tmprsadh to be run regularly from cron(8),
+   /etc/security.local, or similar.
 
-# ln -s @SERVERCERT@ @CLIENTCERT@
+Then start your TLS-enabled notqmail using qmail-run's rc.d scripts.
diff -r f0cb8109ce83 -r 5e18dcf8f6c4 mail/qmail/options.mk
--- a/mail/qmail/options.mk     Thu Jan 14 15:09:32 2021 +0000
+++ b/mail/qmail/options.mk     Thu Jan 14 15:25:22 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.69 2020/05/23 20:50:02 schmonz Exp $
+# $NetBSD: options.mk,v 1.70 2021/01/14 15:25:22 schmonz Exp $
 
 PKG_OPTIONS_VAR=               PKG_OPTIONS.qmail
 PKG_SUPPORTED_OPTIONS+=                eai inet6 pam syncdir tai-system-clock tls
@@ -98,8 +98,8 @@
 SUBST_SED.tmprsadh+=           -e 's|^openssl |${OPENSSL} |'
 READMES+=                      README.tls
 SUBST_VARS.paths+=             OPENSSL QMAIL_DAEMON_USER QMAIL_QMAIL_GROUP
-SUBST_VARS.paths+=             OPENSSL SERVERCERT CLIENTCERT
 SUBST_SED.paths+=              -e 's|@SERVERCERT@|${PKG_SYSCONFDIR:Q}/control/servercert.pem|g'
+SUBST_SED.paths+=              -e 's|@SERVERKEY@|${PKG_SYSCONFDIR:Q}/control/serverkey.pem|g'
 SUBST_SED.paths+=              -e 's|@CLIENTCERT@|${PKG_SYSCONFDIR:Q}/control/clientcert.pem|g'
 DEPENDS+=                      ucspi-ssl>=0.999.10.11nb2:../../net/ucspi-ssl
 .else