/courier/pop3d-ssl

http://github.com/brinkman83/bashrc · #! · 318 lines · 280 code · 38 blank · 0 comment · 0 complexity · 06c35c1e648aba9d42b3a3b603c964df MD5 · raw file

  1. ##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $
  2. #
  3. # pop3d-ssl created from pop3d-ssl.dist by sysconftool
  4. #
  5. # Do not alter lines that begin with ##, they are used when upgrading
  6. # this configuration.
  7. #
  8. # Copyright 2000-2008 Double Precision, Inc. See COPYING for
  9. # distribution information.
  10. #
  11. # This configuration file sets various options for the Courier-IMAP server
  12. # when used to handle SSL POP3 connections.
  13. #
  14. # SSL and non-SSL connections are handled by a dedicated instance of the
  15. # couriertcpd daemon. If you are accepting both SSL and non-SSL POP3
  16. # connections, you will start two instances of couriertcpd, one on the
  17. # POP3 port 110, and another one on the POP3-SSL port 995.
  18. #
  19. # Download OpenSSL from http://www.openssl.org/
  20. #
  21. ##NAME: SSLPORT:0
  22. #
  23. # Options in the pop3d-ssl configuration file AUGMENT the options in the
  24. # pop3d configuration file. First the pop3d configuration file is read,
  25. # then the pop3d-ssl configuration file, so we do not have to redefine
  26. # anything.
  27. #
  28. # However, some things do have to be redefined. The port number is
  29. # specified by SSLPORT, instead of PORT. The default port is port 995.
  30. #
  31. # Multiple port numbers can be separated by commas. When multiple port
  32. # numbers are used it is possibly to select a specific IP address for a
  33. # given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900"
  34. # accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1
  35. # The SSLADDRESS setting is a default for ports that do not have
  36. # a specified IP address.
  37. SSLPORT=995
  38. ##NAME: SSLADDRESS:0
  39. #
  40. # Address to listen on, can be set to a single IP address.
  41. #
  42. # SSLADDRESS=127.0.0.1
  43. SSLADDRESS=0
  44. ##NAME: SSLPIDFILE:0
  45. #
  46. SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
  47. ##NAME: SSLLOGGEROPTS:0
  48. #
  49. # courierlogger(1) options.
  50. #
  51. SSLLOGGEROPTS="-name=pop3d-ssl"
  52. ##NAME: POP3DSSLSTART:0
  53. #
  54. # Whether or not to start POP3 over SSL on spop3 port:
  55. POP3DSSLSTART=YES
  56. ##NAME: POP3_STARTTLS:0
  57. #
  58. # Whether or not to implement the POP3 STLS extension:
  59. POP3_STARTTLS=YES
  60. ##NAME: POP3_TLS_REQUIRED:1
  61. #
  62. # Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
  63. # (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS
  64. # is issued).
  65. POP3_TLS_REQUIRED=0
  66. ##NAME: COURIERTLS:0
  67. #
  68. # The following variables configure POP3 over SSL. If OpenSSL or GnuTLS
  69. # is available during configuration, the couriertls helper gets compiled, and
  70. # upon installation a dummy TLS_CERTFILE gets generated.
  71. #
  72. # WARNING: Peer certificate verification has NOT yet been tested. Proceed
  73. # at your own risk. Only the basic SSL/TLS functionality is known to be
  74. # working. Keep this in mind as you play with the following variables.
  75. COURIERTLS=/usr/bin/couriertls
  76. ##NAME: TLS_PROTOCOL:0
  77. #
  78. # TLS_PROTOCOL sets the protocol version. The possible versions are:
  79. #
  80. # OpenSSL:
  81. #
  82. # SSL2 - SSLv2
  83. # SSL3 - SSLv3
  84. # SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
  85. # TLS1 - TLS1
  86. #
  87. # Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
  88. # setting, below.
  89. #
  90. # GnuTLS:
  91. #
  92. # SSL3 - SSLv3
  93. # TLS1 - TLS 1.0
  94. # TLS1_1 - TLS 1.1
  95. #
  96. # When compiled against GnuTLS, multiple protocols can be selected as follows:
  97. #
  98. # TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
  99. #
  100. # DEFAULT VALUES:
  101. #
  102. # SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)
  103. ##NAME: TLS_STARTTLS_PROTOCOL:0
  104. #
  105. # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
  106. # extension, as opposed to POP3 over SSL on port 995.
  107. #
  108. # It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
  109. TLS_STARTTLS_PROTOCOL=TLS1
  110. ##NAME: TLS_CIPHER_LIST:0
  111. #
  112. # TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
  113. # OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
  114. # undefined
  115. #
  116. # OpenSSL:
  117. #
  118. # TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
  119. #
  120. # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
  121. #
  122. #
  123. # GnuTLS:
  124. #
  125. # TLS_CIPHER_LIST="HIGH:MEDIUM"
  126. #
  127. # The actual list of available ciphers depend on the options GnuTLS was
  128. # compiled against. The possible ciphers are:
  129. #
  130. # AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
  131. #
  132. # Also, the following aliases:
  133. #
  134. # HIGH -- all ciphers that use more than a 128 bit key size
  135. # MEDIUM -- all ciphers that use a 128 bit key size
  136. # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
  137. # is not included
  138. # ALL -- all ciphers except the NULL cipher
  139. ##NAME: TLS_MIN_DH_BITS:0
  140. #
  141. # TLS_MIN_DH_BITS=n
  142. #
  143. # GnuTLS only:
  144. #
  145. # Set the minimum number of acceptable bits for a DH key exchange.
  146. #
  147. # GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
  148. # have been encountered that offer 512 bit keys. You may have to set
  149. # TLS_MIN_DH_BITS=512 here, if necessary.
  150. ##NAME: TLS_KX_LIST:0
  151. #
  152. # GnuTLS only:
  153. #
  154. # Allowed key exchange protocols. The default of "ALL" should be sufficient.
  155. # The list of supported key exchange protocols depends on the options GnuTLS
  156. # was compiled against, but may include the following:
  157. #
  158. # DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
  159. TLS_KX_LIST=ALL
  160. ##NAME: TLS_COMPRESSION:0
  161. #
  162. # GnuTLS only:
  163. #
  164. # Optional compression. "ALL" selects all available compression methods.
  165. #
  166. # Available compression methods: DEFLATE, LZO, NULL
  167. TLS_COMPRESSION=ALL
  168. ##NAME: TLS_CERTS:0
  169. #
  170. # GnuTLS only:
  171. #
  172. # Supported certificate types are X509 and OPENPGP.
  173. #
  174. # OPENPGP has not been tested
  175. TLS_CERTS=X509
  176. ##NAME: TLS_TIMEOUT:0
  177. # TLS_TIMEOUT is currently not implemented, and reserved for future use.
  178. # This is supposed to be an inactivity timeout, but its not yet implemented.
  179. #
  180. ##NAME: TLS_DHCERTFILE:0
  181. #
  182. # TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
  183. # When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
  184. # you must generate a DH pair that will be used. In most situations the
  185. # DH pair is to be treated as confidential, and the file specified by
  186. # TLS_DHCERTFILE must not be world-readable.
  187. #
  188. # TLS_DHCERTFILE=
  189. ##NAME: TLS_CERTFILE:0
  190. #
  191. # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
  192. # servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
  193. # treated as confidential, and must not be world-readable. Set TLS_CERTFILE
  194. # instead of TLS_DHCERTFILE if this is a garden-variety certificate
  195. #
  196. # VIRTUAL HOSTS (servers only):
  197. #
  198. # Due to technical limitations in the original SSL/TLS protocol, a dedicated
  199. # IP address is required for each virtual host certificate. If you have
  200. # multiple certificates, install each certificate file as
  201. # $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
  202. # for the certificate's domain name. So, if TLS_CERTFILE is set to
  203. # /etc/certificate.pem, then you'll need to install the actual certificate
  204. # files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
  205. # and so on, for each IP address.
  206. #
  207. # GnuTLS only (servers only):
  208. #
  209. # GnuTLS implements a new TLS extension that eliminates the need to have a
  210. # dedicated IP address for each SSL/TLS domain name. Install each certificate
  211. # as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
  212. # then you'll need to install the actual certificate files as
  213. # /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
  214. # and so on.
  215. #
  216. # Note that this TLS extension also requires a corresponding support in the
  217. # client. Older SSL/TLS clients may not support this feature.
  218. #
  219. # This is an experimental feature.
  220. TLS_CERTFILE=/etc/courier/pop3d.pem
  221. ##NAME: TLS_TRUSTCERTS:0
  222. #
  223. # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
  224. # pathname can be a file or a directory. If a file, the file should
  225. # contain a list of trusted certificates, in PEM format. If a
  226. # directory, the directory should contain the trusted certificates,
  227. # in PEM format, one per file and hashed using OpenSSL's c_rehash
  228. # script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
  229. # the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
  230. # to PEER or REQUIREPEER).
  231. #
  232. TLS_TRUSTCERTS=/etc/ssl/certs
  233. ##NAME: TLS_VERIFYPEER:0
  234. #
  235. # TLS_VERIFYPEER - how to verify client certificates. The possible values of
  236. # this setting are:
  237. #
  238. # NONE - do not verify anything
  239. #
  240. # PEER - verify the client certificate, if one's presented
  241. #
  242. # REQUIREPEER - require a client certificate, fail if one's not presented
  243. #
  244. #
  245. TLS_VERIFYPEER=NONE
  246. ##NAME: TLS_EXTERNAL:0
  247. #
  248. # To enable SSL certificate-based authentication:
  249. #
  250. # 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate
  251. # authority's SSL certificate
  252. #
  253. # 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings
  254. # requires all SSL clients to present a certificate, and rejects
  255. # SSL/TLS connections without a valid cert).
  256. #
  257. # 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID.
  258. # Example:
  259. #
  260. # TLS_EXTERNAL=emailaddress
  261. #
  262. # The above example retrieves the login ID from the "emailaddress" subject
  263. # field. The certificate's emailaddress subject must match exactly the login
  264. # ID in the courier-authlib database.
  265. ##NAME: TLS_CACHE:0
  266. #
  267. # A TLS/SSL session cache may slightly improve response for long-running
  268. # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
  269. # bytes long, and used as a cache buffer.
  270. #
  271. # This is an experimental feature and should be disabled if it causes
  272. # problems with SSL clients. Disable SSL caching by commenting out the
  273. # following settings:
  274. TLS_CACHEFILE=/var/lib/courier/couriersslcache
  275. TLS_CACHESIZE=524288
  276. ##NAME: MAILDIRPATH:0
  277. #
  278. # MAILDIRPATH - directory name of the maildir directory.
  279. #
  280. MAILDIRPATH=Maildir