PageRenderTime 72ms CodeModel.GetById 68ms app.highlight 2ms RepoModel.GetById 1ms app.codeStats 0ms

/courier/pop3d-ssl

http://github.com/brinkman83/bashrc
#! | 318 lines | 280 code | 38 blank | 0 comment | 0 complexity | 06c35c1e648aba9d42b3a3b603c964df MD5 | raw file
  1##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $
  2#
  3# pop3d-ssl created from pop3d-ssl.dist by sysconftool
  4#
  5# Do not alter lines that begin with ##, they are used when upgrading
  6# this configuration.
  7#
  8#  Copyright 2000-2008 Double Precision, Inc.  See COPYING for
  9#  distribution information.
 10#
 11#  This configuration file sets various options for the Courier-IMAP server
 12#  when used to handle SSL POP3 connections.
 13#
 14#  SSL and non-SSL connections are handled by a dedicated instance of the
 15#  couriertcpd daemon.  If you are accepting both SSL and non-SSL POP3
 16#  connections, you will start two instances of couriertcpd, one on the
 17#  POP3 port 110, and another one on the POP3-SSL port 995.
 18#
 19#  Download OpenSSL from http://www.openssl.org/
 20#
 21##NAME: SSLPORT:0
 22#
 23#  Options in the pop3d-ssl configuration file AUGMENT the options in the
 24#  pop3d configuration file.  First the pop3d configuration file is read,
 25#  then the pop3d-ssl configuration file, so we do not have to redefine
 26#  anything.
 27#
 28#  However, some things do have to be redefined.  The port number is
 29#  specified by SSLPORT, instead of PORT.  The default port is port 995.
 30#
 31#  Multiple port numbers can be separated by commas.  When multiple port
 32#  numbers are used it is possibly to select a specific IP address for a
 33#  given port as "ip.port".  For example, "127.0.0.1.900,192.168.0.1.900"
 34#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1
 35#  The SSLADDRESS setting is a default for ports that do not have
 36#  a specified IP address.
 37
 38SSLPORT=995
 39
 40##NAME: SSLADDRESS:0
 41#
 42#  Address to listen on, can be set to a single IP address.
 43#
 44# SSLADDRESS=127.0.0.1
 45
 46SSLADDRESS=0
 47
 48##NAME: SSLPIDFILE:0
 49#
 50
 51SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
 52
 53##NAME: SSLLOGGEROPTS:0
 54#
 55# courierlogger(1) options.                                        
 56#
 57
 58SSLLOGGEROPTS="-name=pop3d-ssl"
 59
 60##NAME: POP3DSSLSTART:0
 61#
 62#  Whether or not to start POP3 over SSL on spop3 port:
 63
 64POP3DSSLSTART=YES
 65
 66##NAME: POP3_STARTTLS:0
 67#
 68# Whether or not to implement the POP3 STLS extension:
 69
 70POP3_STARTTLS=YES
 71
 72##NAME: POP3_TLS_REQUIRED:1
 73#
 74# Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
 75# (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS
 76# is issued).
 77
 78POP3_TLS_REQUIRED=0
 79
 80##NAME: COURIERTLS:0
 81#
 82# The following variables configure POP3 over SSL.  If OpenSSL or GnuTLS
 83# is available during configuration, the couriertls helper gets compiled, and
 84# upon installation a dummy TLS_CERTFILE gets generated.
 85#
 86# WARNING: Peer certificate verification has NOT yet been tested.  Proceed
 87# at your own risk.  Only the basic SSL/TLS functionality is known to be
 88# working. Keep this in mind as you play with the following variables.
 89
 90COURIERTLS=/usr/bin/couriertls
 91
 92##NAME: TLS_PROTOCOL:0
 93# 
 94# TLS_PROTOCOL sets the protocol version.  The possible versions are:
 95#
 96# OpenSSL:
 97#
 98# SSL2 - SSLv2
 99# SSL3 - SSLv3
100# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
101# TLS1 - TLS1
102#
103# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
104# setting, below.
105#
106# GnuTLS:
107#
108# SSL3   - SSLv3
109# TLS1   - TLS 1.0
110# TLS1_1 - TLS 1.1
111#
112# When compiled against GnuTLS, multiple protocols can be selected as follows:
113#
114# TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
115#
116# DEFAULT VALUES:
117#
118# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)
119
120##NAME: TLS_STARTTLS_PROTOCOL:0
121# 
122# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
123# extension, as opposed to POP3 over SSL on port 995.
124#
125# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
126
127TLS_STARTTLS_PROTOCOL=TLS1
128
129##NAME: TLS_CIPHER_LIST:0
130#
131# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
132# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
133# undefined
134#
135# OpenSSL:
136#
137# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
138#
139# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
140#
141#
142# GnuTLS:
143#
144# TLS_CIPHER_LIST="HIGH:MEDIUM"
145#
146# The actual list of available ciphers depend on the options GnuTLS was
147# compiled against. The possible ciphers are:
148#
149# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
150#
151# Also, the following aliases:
152#
153# HIGH -- all ciphers that use more than a 128 bit key size
154# MEDIUM -- all ciphers that use a 128 bit key size
155# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
156#        is not included
157# ALL -- all ciphers except the NULL cipher
158
159
160##NAME: TLS_MIN_DH_BITS:0
161#
162# TLS_MIN_DH_BITS=n
163#
164# GnuTLS only:
165#
166# Set the minimum number of acceptable bits for a DH key exchange.
167#
168# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
169# have been encountered that offer 512 bit keys. You may have to set
170# TLS_MIN_DH_BITS=512 here, if necessary.
171
172##NAME: TLS_KX_LIST:0
173#
174# GnuTLS only:
175#
176# Allowed key exchange protocols. The default of "ALL" should be sufficient.
177# The list of supported key exchange protocols depends on the options GnuTLS
178# was compiled against, but may include the following:
179#
180# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
181
182TLS_KX_LIST=ALL
183
184##NAME: TLS_COMPRESSION:0
185#
186# GnuTLS only:
187#
188# Optional compression. "ALL" selects all available compression methods.
189#
190# Available compression methods: DEFLATE, LZO, NULL
191
192TLS_COMPRESSION=ALL
193
194##NAME: TLS_CERTS:0
195#
196# GnuTLS only:
197#
198# Supported certificate types are X509 and OPENPGP.
199#
200# OPENPGP has not been tested
201
202TLS_CERTS=X509
203
204##NAME: TLS_TIMEOUT:0
205# TLS_TIMEOUT is currently not implemented, and reserved for future use.
206# This is supposed to be an inactivity timeout, but its not yet implemented.
207#
208
209##NAME: TLS_DHCERTFILE:0
210#
211# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
212# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
213# you must generate a DH pair that will be used.  In most situations the
214# DH pair is to be treated as confidential, and the file specified by
215# TLS_DHCERTFILE must not be world-readable.
216#
217# TLS_DHCERTFILE=
218
219##NAME: TLS_CERTFILE:0
220#
221# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
222# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
223# treated as confidential, and must not be world-readable. Set TLS_CERTFILE
224# instead of TLS_DHCERTFILE if this is a garden-variety certificate
225#
226# VIRTUAL HOSTS (servers only):
227#
228# Due to technical limitations in the original SSL/TLS protocol, a dedicated
229# IP address is required for each virtual host certificate. If you have
230# multiple certificates, install each certificate file as
231# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
232# for the certificate's domain name. So, if TLS_CERTFILE is set to
233# /etc/certificate.pem, then you'll need to install the actual certificate
234# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
235# and so on, for each IP address.
236#
237# GnuTLS only (servers only):
238#
239# GnuTLS implements a new TLS extension that eliminates the need to have a
240# dedicated IP address for each SSL/TLS domain name. Install each certificate
241# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
242# then you'll need to install the actual certificate files as
243# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
244# and so on.
245#
246# Note that this TLS extension also requires a corresponding support in the
247# client. Older SSL/TLS clients may not support this feature.
248#
249# This is an experimental feature.
250
251TLS_CERTFILE=/etc/courier/pop3d.pem
252
253##NAME: TLS_TRUSTCERTS:0
254#
255# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
256# pathname can be a file or a directory. If a file, the file should
257# contain a list of trusted certificates, in PEM format. If a
258# directory, the directory should contain the trusted certificates,
259# in PEM format, one per file and hashed using OpenSSL's c_rehash
260# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
261# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
262# to PEER or REQUIREPEER).
263#
264
265TLS_TRUSTCERTS=/etc/ssl/certs
266
267##NAME: TLS_VERIFYPEER:0
268#
269# TLS_VERIFYPEER - how to verify client certificates.  The possible values of
270# this setting are:
271#
272# NONE - do not verify anything
273#
274# PEER - verify the client certificate, if one's presented
275#
276# REQUIREPEER - require a client certificate, fail if one's not presented
277#
278#
279TLS_VERIFYPEER=NONE
280
281##NAME: TLS_EXTERNAL:0
282#
283# To enable SSL certificate-based authentication:
284#
285# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate
286#    authority's SSL certificate
287#
288# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings
289#    requires all SSL clients to present a certificate, and rejects
290#    SSL/TLS connections without a valid cert).
291#
292# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID.
293#    Example:
294#
295#  TLS_EXTERNAL=emailaddress
296#
297# The above example retrieves the login ID from the "emailaddress" subject
298# field. The certificate's emailaddress subject must match exactly the login
299# ID in the courier-authlib database.
300
301##NAME: TLS_CACHE:0
302#
303# A TLS/SSL session cache may slightly improve response for long-running
304# POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
305# bytes long, and used as a cache buffer.
306#
307# This is an experimental feature and should be disabled if it causes
308# problems with SSL clients.  Disable SSL caching by commenting out the
309# following settings:
310
311TLS_CACHEFILE=/var/lib/courier/couriersslcache
312TLS_CACHESIZE=524288
313
314##NAME: MAILDIRPATH:0
315#
316# MAILDIRPATH - directory name of the maildir directory.
317#
318MAILDIRPATH=Maildir