/courier/pop3d-ssl
#! | 318 lines | 280 code | 38 blank | 0 comment | 0 complexity | 06c35c1e648aba9d42b3a3b603c964df MD5 | raw file
1##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $ 2# 3# pop3d-ssl created from pop3d-ssl.dist by sysconftool 4# 5# Do not alter lines that begin with ##, they are used when upgrading 6# this configuration. 7# 8# Copyright 2000-2008 Double Precision, Inc. See COPYING for 9# distribution information. 10# 11# This configuration file sets various options for the Courier-IMAP server 12# when used to handle SSL POP3 connections. 13# 14# SSL and non-SSL connections are handled by a dedicated instance of the 15# couriertcpd daemon. If you are accepting both SSL and non-SSL POP3 16# connections, you will start two instances of couriertcpd, one on the 17# POP3 port 110, and another one on the POP3-SSL port 995. 18# 19# Download OpenSSL from http://www.openssl.org/ 20# 21##NAME: SSLPORT:0 22# 23# Options in the pop3d-ssl configuration file AUGMENT the options in the 24# pop3d configuration file. First the pop3d configuration file is read, 25# then the pop3d-ssl configuration file, so we do not have to redefine 26# anything. 27# 28# However, some things do have to be redefined. The port number is 29# specified by SSLPORT, instead of PORT. The default port is port 995. 30# 31# Multiple port numbers can be separated by commas. When multiple port 32# numbers are used it is possibly to select a specific IP address for a 33# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900" 34# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1 35# The SSLADDRESS setting is a default for ports that do not have 36# a specified IP address. 37 38SSLPORT=995 39 40##NAME: SSLADDRESS:0 41# 42# Address to listen on, can be set to a single IP address. 43# 44# SSLADDRESS=127.0.0.1 45 46SSLADDRESS=0 47 48##NAME: SSLPIDFILE:0 49# 50 51SSLPIDFILE=/var/run/courier/pop3d-ssl.pid 52 53##NAME: SSLLOGGEROPTS:0 54# 55# courierlogger(1) options. 56# 57 58SSLLOGGEROPTS="-name=pop3d-ssl" 59 60##NAME: POP3DSSLSTART:0 61# 62# Whether or not to start POP3 over SSL on spop3 port: 63 64POP3DSSLSTART=YES 65 66##NAME: POP3_STARTTLS:0 67# 68# Whether or not to implement the POP3 STLS extension: 69 70POP3_STARTTLS=YES 71 72##NAME: POP3_TLS_REQUIRED:1 73# 74# Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. 75# (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS 76# is issued). 77 78POP3_TLS_REQUIRED=0 79 80##NAME: COURIERTLS:0 81# 82# The following variables configure POP3 over SSL. If OpenSSL or GnuTLS 83# is available during configuration, the couriertls helper gets compiled, and 84# upon installation a dummy TLS_CERTFILE gets generated. 85# 86# WARNING: Peer certificate verification has NOT yet been tested. Proceed 87# at your own risk. Only the basic SSL/TLS functionality is known to be 88# working. Keep this in mind as you play with the following variables. 89 90COURIERTLS=/usr/bin/couriertls 91 92##NAME: TLS_PROTOCOL:0 93# 94# TLS_PROTOCOL sets the protocol version. The possible versions are: 95# 96# OpenSSL: 97# 98# SSL2 - SSLv2 99# SSL3 - SSLv3 100# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) 101# TLS1 - TLS1 102# 103# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST 104# setting, below. 105# 106# GnuTLS: 107# 108# SSL3 - SSLv3 109# TLS1 - TLS 1.0 110# TLS1_1 - TLS 1.1 111# 112# When compiled against GnuTLS, multiple protocols can be selected as follows: 113# 114# TLS_PROTOCOL="TLS1_1:TLS1:SSL3" 115# 116# DEFAULT VALUES: 117# 118# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS) 119 120##NAME: TLS_STARTTLS_PROTOCOL:0 121# 122# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS 123# extension, as opposed to POP3 over SSL on port 995. 124# 125# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL 126 127TLS_STARTTLS_PROTOCOL=TLS1 128 129##NAME: TLS_CIPHER_LIST:0 130# 131# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the 132# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST 133# undefined 134# 135# OpenSSL: 136# 137# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" 138# 139# To enable SSL2, remove the obvious "!SSLv2" part from the above list. 140# 141# 142# GnuTLS: 143# 144# TLS_CIPHER_LIST="HIGH:MEDIUM" 145# 146# The actual list of available ciphers depend on the options GnuTLS was 147# compiled against. The possible ciphers are: 148# 149# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL 150# 151# Also, the following aliases: 152# 153# HIGH -- all ciphers that use more than a 128 bit key size 154# MEDIUM -- all ciphers that use a 128 bit key size 155# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher 156# is not included 157# ALL -- all ciphers except the NULL cipher 158 159 160##NAME: TLS_MIN_DH_BITS:0 161# 162# TLS_MIN_DH_BITS=n 163# 164# GnuTLS only: 165# 166# Set the minimum number of acceptable bits for a DH key exchange. 167# 168# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server 169# have been encountered that offer 512 bit keys. You may have to set 170# TLS_MIN_DH_BITS=512 here, if necessary. 171 172##NAME: TLS_KX_LIST:0 173# 174# GnuTLS only: 175# 176# Allowed key exchange protocols. The default of "ALL" should be sufficient. 177# The list of supported key exchange protocols depends on the options GnuTLS 178# was compiled against, but may include the following: 179# 180# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT 181 182TLS_KX_LIST=ALL 183 184##NAME: TLS_COMPRESSION:0 185# 186# GnuTLS only: 187# 188# Optional compression. "ALL" selects all available compression methods. 189# 190# Available compression methods: DEFLATE, LZO, NULL 191 192TLS_COMPRESSION=ALL 193 194##NAME: TLS_CERTS:0 195# 196# GnuTLS only: 197# 198# Supported certificate types are X509 and OPENPGP. 199# 200# OPENPGP has not been tested 201 202TLS_CERTS=X509 203 204##NAME: TLS_TIMEOUT:0 205# TLS_TIMEOUT is currently not implemented, and reserved for future use. 206# This is supposed to be an inactivity timeout, but its not yet implemented. 207# 208 209##NAME: TLS_DHCERTFILE:0 210# 211# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. 212# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA 213# you must generate a DH pair that will be used. In most situations the 214# DH pair is to be treated as confidential, and the file specified by 215# TLS_DHCERTFILE must not be world-readable. 216# 217# TLS_DHCERTFILE= 218 219##NAME: TLS_CERTFILE:0 220# 221# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS 222# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually 223# treated as confidential, and must not be world-readable. Set TLS_CERTFILE 224# instead of TLS_DHCERTFILE if this is a garden-variety certificate 225# 226# VIRTUAL HOSTS (servers only): 227# 228# Due to technical limitations in the original SSL/TLS protocol, a dedicated 229# IP address is required for each virtual host certificate. If you have 230# multiple certificates, install each certificate file as 231# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address 232# for the certificate's domain name. So, if TLS_CERTFILE is set to 233# /etc/certificate.pem, then you'll need to install the actual certificate 234# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3 235# and so on, for each IP address. 236# 237# GnuTLS only (servers only): 238# 239# GnuTLS implements a new TLS extension that eliminates the need to have a 240# dedicated IP address for each SSL/TLS domain name. Install each certificate 241# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem, 242# then you'll need to install the actual certificate files as 243# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com 244# and so on. 245# 246# Note that this TLS extension also requires a corresponding support in the 247# client. Older SSL/TLS clients may not support this feature. 248# 249# This is an experimental feature. 250 251TLS_CERTFILE=/etc/courier/pop3d.pem 252 253##NAME: TLS_TRUSTCERTS:0 254# 255# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. 256# pathname can be a file or a directory. If a file, the file should 257# contain a list of trusted certificates, in PEM format. If a 258# directory, the directory should contain the trusted certificates, 259# in PEM format, one per file and hashed using OpenSSL's c_rehash 260# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying 261# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set 262# to PEER or REQUIREPEER). 263# 264 265TLS_TRUSTCERTS=/etc/ssl/certs 266 267##NAME: TLS_VERIFYPEER:0 268# 269# TLS_VERIFYPEER - how to verify client certificates. The possible values of 270# this setting are: 271# 272# NONE - do not verify anything 273# 274# PEER - verify the client certificate, if one's presented 275# 276# REQUIREPEER - require a client certificate, fail if one's not presented 277# 278# 279TLS_VERIFYPEER=NONE 280 281##NAME: TLS_EXTERNAL:0 282# 283# To enable SSL certificate-based authentication: 284# 285# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate 286# authority's SSL certificate 287# 288# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings 289# requires all SSL clients to present a certificate, and rejects 290# SSL/TLS connections without a valid cert). 291# 292# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID. 293# Example: 294# 295# TLS_EXTERNAL=emailaddress 296# 297# The above example retrieves the login ID from the "emailaddress" subject 298# field. The certificate's emailaddress subject must match exactly the login 299# ID in the courier-authlib database. 300 301##NAME: TLS_CACHE:0 302# 303# A TLS/SSL session cache may slightly improve response for long-running 304# POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE 305# bytes long, and used as a cache buffer. 306# 307# This is an experimental feature and should be disabled if it causes 308# problems with SSL clients. Disable SSL caching by commenting out the 309# following settings: 310 311TLS_CACHEFILE=/var/lib/courier/couriersslcache 312TLS_CACHESIZE=524288 313 314##NAME: MAILDIRPATH:0 315# 316# MAILDIRPATH - directory name of the maildir directory. 317# 318MAILDIRPATH=Maildir