#!/bin/sh -e
#-----------------------------------------------------------------------------
#
# $Sendmail: update_auth,v 8.12.3 2004-09-13 10:36:48 cowboy Exp $
#
# Sendmail support for SMTP AUTH (SASL)
#
# Copyright (c) 2000-2003 Richard Nelson.  All Rights Reserved.
#
# Notes:
#
#-----------------------------------------------------------------------------
set -e;

NEW=0;
DEFAULT=0;
HOSTNAME=`hostname -s`;
HOSTFQDN=`hostname -f`;
DOMAINNAME=`hostname -d`;
SMUID=sendmail;
SMAID=sendmail;
SMPWD=sendmailpwd;
SMRLM=$HOSTNAME.$DOMAINNAME;

# Check if SASL is installed
if	 [ -d /usr/lib/sasl2 -a 527363 -ge 527364 ]; then
	SASLDBLISTUSERS='/usr/sbin/sasldblistusers2';
	SASLPASSWD='/usr/sbin/saslpasswd2';
	SASLLIB='/usr/lib/sasl2';
	SASLSO='2';
	SASLDB='/etc/sasldb2';
	SASL_BIN='sasl2-bin';
	echo " SASL V2 not supported for the nonce, checking for SASL V1";
	fi;
if [ -d /usr/lib/sasl ]; then
	SASLDBLISTUSERS='/usr/sbin/sasldblistusers';
	SASLPASSWD='/usr/sbin/saslpasswd';
	SASLLIB='/usr/lib/sasl';
	SASLSO='1';
	SASLDB='/etc/sasldb';
	SASL_BIN='sasl-bin';
else
	cat <<-EOT

		SASL not installed, not configuring sendmail support.

		To install sasl, get sasl-bin, libsasl-modules-plain,
		libsasl-digestmd5-plain or libsasl-digestmd5-des.

		To enable sendmail SASL support at a later date, invoke "$0"

		EOT
	exit 0;
	fi;

# Check for sasl-bin (wherein resides saslpasswd)
if [ ! -x ${SASLPASSWD} ]; then
	cat <<-EOT
		${SASL_BIN} not installed, not configuring sendmail support.

		To enable sendmail SASL support at a later date, invoke "$0"

		EOT
	exit 0;
	fi;
#echo " ";
#echo "Creating/Updating SASL information";

# See if we need to rename an existing SASL info file
if [ -f /etc/mail/auth-info -a \
	! -f /etc/mail/default-auth-info ]; then
	mv /etc/mail/auth-info \
		/etc/mail/default-auth-info;
	fi;

# Create Default SASL auth information
if [ ! -f /etc/mail/default-auth-info ]; then
	cat <<-EOT > /etc/mail/default-auth-info
	$SMUID
	$SMAID
	$SMPWD
	$SMRLM
	EOT

# Use exisisting SASL auth information
else
	SMUID=$(head -n1 /etc/mail/default-auth-info);
	SMAID=$(head -n2 /etc/mail/default-auth-info | tail -n1 -);
	SMPWD=$(head -n3 /etc/mail/default-auth-info | tail -n1 -);
	SMRLM=$(head -n4 /etc/mail/default-auth-info | tail -n1 -);
	fi;

# Check for default settings, used in later test
if [ "$SMUID" = 'sendmail' ] \
&& [ "$SMAID" = 'sendmail' ] \
&& [ "$SMPWD" = 'sendmailpwd' ]; then
	DEFAULT=1;
	fi;

# Create any missing SASL configuration files
if [ -d ${SASLLIB} ]; then
	# SASL password configuration
	if [ ! -f ${SASLLIB}/saslpasswd.conf ]; then
		NEW=1;
		cp /usr/share/sendmail/examples/sasl/saslpasswd.conf \
			${SASLLIB}/saslpasswd.conf;
		fi;
	chown root:root ${SASLLIB}/saslpasswd.conf;
	chmod 0640 ${SASLLIB}/saslpasswd.conf;

	# Sendmail SASL configuration
	if [ ! -L ${SASLLIB}/Sendmail.conf ]; then
		if [ -f ${SASLLIB}/Sendmail.conf ]; then
			mv ${SASLLIB}/Sendmail.conf /etc/mail/sasl/Sendmail.conf;
			fi;
		ln -sf /etc/mail/sasl/Sendmail.conf \
			${SASLLIB}/Sendmail.conf;
		fi;

	# Make sure libraries are properly installed...
	( cd ${SASLLIB} && \
	if [ -L libanonymous.so.${SASLSO} -a ! -L libanonymous.so ]; then \
		ln -s libanonymous.so.${SASLSO} libanonymous.so; \
		fi; \
	if [ -L libcrammd5.so.${SASLSO} -a ! -L libcrammd5.so ]; then \
		ln -s libcrammd5.so.${SASLSO} libcrammd5.so; \
		fi; \
	if [ -L libdigestmd5.so.${SASLSO} -a ! -L libdigestmd5.so ]; then \
		ln -s libdigestmd5.so.${SASLSO} libdigestmd5.so; \
		fi; \
	if [ -L libdigestmd5.so.0 -a ! -L libdigestmd5.so ]; then \
		ln -s libdigestmd5.so.0 libdigestmd5.so; \
		fi; \
	if [ -L libgssapiv2.so.${SASLSO} -a ! -L libgssapiv2.so ]; then \
		ln -s libgssapiv2.so.${SASLSO} libgssapiv2.so; \
		fi; \
	if [ -L liblogin.so.${SASLSO} -a ! -L liblogin.so ]; then \
		ln -s liblogin.so.${SASLSO} liblogin.so; \
		fi; \
	if [ -L liblogin.so.0 -a ! -L liblogin.so ]; then \
		ln -s liblogin.so.0 liblogin.so; \
		fi; \
	if [ -L libplain.so.${SASLSO} -a ! -L libplain.so ]; then \
		ln -s libplain.so.${SASLSO} libplain.so; \
		fi; )
	fi;

# Create/update sendmail SASL files
if [ ! -f /etc/mail/sasl/Sendmail.conf ]; then
	NEW=1;
	cp /usr/share/sendmail/examples/sasl/Sendmail.conf \
		/etc/mail/sasl/Sendmail.conf;
		fi;
chown root:smmsp /etc/mail/sasl/Sendmail.conf;
chmod 0640 /etc/mail/sasl/Sendmail.conf;

# Recommend PAM for sendmail authorization
if ! grep -qEe "^[[:space:]]*pwcheck_method:[[:space:]]*PAM" \
	${SASLLIB}/Sendmail.conf; then
	cat <<-EOT

	It is *strongly* recommended that you use PAM as the authentication
	method for sendmail via SASL.  Doing so will allow *all* your shell
	users (those with an /etc/passwd entry) to automagically authenticate
	themselves when using a MUA with SASL support turned on.

	Do you wish to use PAM (Y|n)?
	EOT
	read yn;
	yn=$(echo -n "$yn" | sed -e "s/^\ *//" -e "s/^\t*//");
	test -n "$yn" || yn="Y";
	case "$yn" in
		[Yy]*)
			if grep -qEe '^[[:space:]]*pwcheck_method:' \
				/etc/mail/sasl/Sendmail.conf; then
				sed -e \
				's?^[[:space:]]*pwcheck_method:.*$?pwcheck_method: PAM?' \
				/etc/mail/sasl/Sendmail.conf \
				> /etc/mail/sasl/Sendmail.conf.new;
			else
				echo 'pwcheck_method: PAM' \
					| cat /etc/mail/sasl/Sendmail.conf - \
					> /etc/mail/sasl/Sendmail.conf.new;
				fi;
			if [ -f /etc/mail/sasl/Sendmail.conf.new ]; then
				chown root:smmsp /etc/mail/sasl/Sendmail.conf.new;
				chmod 0644 /etc/mail/sasl/Sendmail.conf.new;
				mv /etc/mail/sasl/Sendmail.conf.new \
					/etc/mail/sasl/Sendmail.conf;
				fi;
			;;
		esac;
	fi;

# Make sure default-auth-info is secure
if [ -f /etc/mail/default-auth-info ]; then
	chown root:smmsp /etc/mail/default-auth-info;
	chmod 0640 /etc/mail/default-auth-info;
	fi;

# Create skeleton file, the saslpasswd command will get a failure ;-{
if [ ! -f ${SASLDB} ]; then
	NEW=1;
	if [ -x ${SASLPASSWD} ]; then
		${SASLDBLISTUSERS} 1>/dev/null 2>&1 || true;
		echo "$SMPWD" | ${SASLPASSWD} -p -c -u $SMRLM $SMAID \
			1>/dev/null 2>&1 || true;
		chown root:smmsp ${SASLDB};
		chmod 0660 ${SASLDB};
	else
		echo "*** You do not have the sasl-bin package installed!";
		echo "*** Please install it and rerun $0";
		echo "*** Sendmail can't use SASL until this is done...";
		fi;
	fi;

# Set SMTP auth password
if [ -x ${SASLPASSWD} ]; then
	if [ $DEFAULT = 0 ]; then
		echo "$SMPWD" | ${SASLPASSWD} -p -c -u $SMRLM $SMAID || true;
	else
		${SASLPASSWD} -d -u $SMRLM $SMAID 1>/dev/null 2>&1 || true;
		fi;
	fi;

# For sendmail, /etc/sasldb must be 0600 or (0640/0660 w/dontblamesendmail)
if [ -f ${SASLDB} ]; then
	find ${SASLDB} -gid 0 -print | xargs -r chown root:smmsp;
	find ${SASLDB} -gid 8 -print | xargs -r chown root:smmsp;
	find ${SASLDB} -group smmsp -print | xargs -r chmod g+rw;
	chmod g-x,o-rwx ${SASLDB};
	fi;

# Tell them about the new wizbang features...
if [ $NEW -eq 1 ]; then
	cat <<-EOT

	SASL is now minimally setup, there are a few ways to handle users:
	   *) Allow only shell users (default)
		  You're all set, nothing else to do !
	   *) Allow users other than shell
		  Add users via /usr/sbin/saslpasswd and make sure that the
		  realm you used matches what your users specify in their
		  netscape/outlook/mutt/etc profiles.

	If you need to authorize sendmail as a sender, also update
	/etc/mail/default-auth-info and rerun $0.

	EOT
	fi;
