/courier/pop3d-ssl
http://github.com/brinkman83/bashrc · #! · 318 lines · 280 code · 38 blank · 0 comment · 0 complexity · 06c35c1e648aba9d42b3a3b603c964df MD5 · raw file
- ##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $
- #
- # pop3d-ssl created from pop3d-ssl.dist by sysconftool
- #
- # Do not alter lines that begin with ##, they are used when upgrading
- # this configuration.
- #
- # Copyright 2000-2008 Double Precision, Inc. See COPYING for
- # distribution information.
- #
- # This configuration file sets various options for the Courier-IMAP server
- # when used to handle SSL POP3 connections.
- #
- # SSL and non-SSL connections are handled by a dedicated instance of the
- # couriertcpd daemon. If you are accepting both SSL and non-SSL POP3
- # connections, you will start two instances of couriertcpd, one on the
- # POP3 port 110, and another one on the POP3-SSL port 995.
- #
- # Download OpenSSL from http://www.openssl.org/
- #
- ##NAME: SSLPORT:0
- #
- # Options in the pop3d-ssl configuration file AUGMENT the options in the
- # pop3d configuration file. First the pop3d configuration file is read,
- # then the pop3d-ssl configuration file, so we do not have to redefine
- # anything.
- #
- # However, some things do have to be redefined. The port number is
- # specified by SSLPORT, instead of PORT. The default port is port 995.
- #
- # Multiple port numbers can be separated by commas. When multiple port
- # numbers are used it is possibly to select a specific IP address for a
- # given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900"
- # accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1
- # The SSLADDRESS setting is a default for ports that do not have
- # a specified IP address.
- SSLPORT=995
- ##NAME: SSLADDRESS:0
- #
- # Address to listen on, can be set to a single IP address.
- #
- # SSLADDRESS=127.0.0.1
- SSLADDRESS=0
- ##NAME: SSLPIDFILE:0
- #
- SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
- ##NAME: SSLLOGGEROPTS:0
- #
- # courierlogger(1) options.
- #
- SSLLOGGEROPTS="-name=pop3d-ssl"
- ##NAME: POP3DSSLSTART:0
- #
- # Whether or not to start POP3 over SSL on spop3 port:
- POP3DSSLSTART=YES
- ##NAME: POP3_STARTTLS:0
- #
- # Whether or not to implement the POP3 STLS extension:
- POP3_STARTTLS=YES
- ##NAME: POP3_TLS_REQUIRED:1
- #
- # Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
- # (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS
- # is issued).
- POP3_TLS_REQUIRED=0
- ##NAME: COURIERTLS:0
- #
- # The following variables configure POP3 over SSL. If OpenSSL or GnuTLS
- # is available during configuration, the couriertls helper gets compiled, and
- # upon installation a dummy TLS_CERTFILE gets generated.
- #
- # WARNING: Peer certificate verification has NOT yet been tested. Proceed
- # at your own risk. Only the basic SSL/TLS functionality is known to be
- # working. Keep this in mind as you play with the following variables.
- COURIERTLS=/usr/bin/couriertls
- ##NAME: TLS_PROTOCOL:0
- #
- # TLS_PROTOCOL sets the protocol version. The possible versions are:
- #
- # OpenSSL:
- #
- # SSL2 - SSLv2
- # SSL3 - SSLv3
- # SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
- # TLS1 - TLS1
- #
- # Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
- # setting, below.
- #
- # GnuTLS:
- #
- # SSL3 - SSLv3
- # TLS1 - TLS 1.0
- # TLS1_1 - TLS 1.1
- #
- # When compiled against GnuTLS, multiple protocols can be selected as follows:
- #
- # TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
- #
- # DEFAULT VALUES:
- #
- # SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)
- ##NAME: TLS_STARTTLS_PROTOCOL:0
- #
- # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
- # extension, as opposed to POP3 over SSL on port 995.
- #
- # It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
- TLS_STARTTLS_PROTOCOL=TLS1
- ##NAME: TLS_CIPHER_LIST:0
- #
- # TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
- # OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
- # undefined
- #
- # OpenSSL:
- #
- # TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
- #
- # To enable SSL2, remove the obvious "!SSLv2" part from the above list.
- #
- #
- # GnuTLS:
- #
- # TLS_CIPHER_LIST="HIGH:MEDIUM"
- #
- # The actual list of available ciphers depend on the options GnuTLS was
- # compiled against. The possible ciphers are:
- #
- # AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
- #
- # Also, the following aliases:
- #
- # HIGH -- all ciphers that use more than a 128 bit key size
- # MEDIUM -- all ciphers that use a 128 bit key size
- # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
- # is not included
- # ALL -- all ciphers except the NULL cipher
- ##NAME: TLS_MIN_DH_BITS:0
- #
- # TLS_MIN_DH_BITS=n
- #
- # GnuTLS only:
- #
- # Set the minimum number of acceptable bits for a DH key exchange.
- #
- # GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
- # have been encountered that offer 512 bit keys. You may have to set
- # TLS_MIN_DH_BITS=512 here, if necessary.
- ##NAME: TLS_KX_LIST:0
- #
- # GnuTLS only:
- #
- # Allowed key exchange protocols. The default of "ALL" should be sufficient.
- # The list of supported key exchange protocols depends on the options GnuTLS
- # was compiled against, but may include the following:
- #
- # DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
- TLS_KX_LIST=ALL
- ##NAME: TLS_COMPRESSION:0
- #
- # GnuTLS only:
- #
- # Optional compression. "ALL" selects all available compression methods.
- #
- # Available compression methods: DEFLATE, LZO, NULL
- TLS_COMPRESSION=ALL
- ##NAME: TLS_CERTS:0
- #
- # GnuTLS only:
- #
- # Supported certificate types are X509 and OPENPGP.
- #
- # OPENPGP has not been tested
- TLS_CERTS=X509
- ##NAME: TLS_TIMEOUT:0
- # TLS_TIMEOUT is currently not implemented, and reserved for future use.
- # This is supposed to be an inactivity timeout, but its not yet implemented.
- #
- ##NAME: TLS_DHCERTFILE:0
- #
- # TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
- # When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
- # you must generate a DH pair that will be used. In most situations the
- # DH pair is to be treated as confidential, and the file specified by
- # TLS_DHCERTFILE must not be world-readable.
- #
- # TLS_DHCERTFILE=
- ##NAME: TLS_CERTFILE:0
- #
- # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
- # servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
- # treated as confidential, and must not be world-readable. Set TLS_CERTFILE
- # instead of TLS_DHCERTFILE if this is a garden-variety certificate
- #
- # VIRTUAL HOSTS (servers only):
- #
- # Due to technical limitations in the original SSL/TLS protocol, a dedicated
- # IP address is required for each virtual host certificate. If you have
- # multiple certificates, install each certificate file as
- # $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
- # for the certificate's domain name. So, if TLS_CERTFILE is set to
- # /etc/certificate.pem, then you'll need to install the actual certificate
- # files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
- # and so on, for each IP address.
- #
- # GnuTLS only (servers only):
- #
- # GnuTLS implements a new TLS extension that eliminates the need to have a
- # dedicated IP address for each SSL/TLS domain name. Install each certificate
- # as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
- # then you'll need to install the actual certificate files as
- # /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
- # and so on.
- #
- # Note that this TLS extension also requires a corresponding support in the
- # client. Older SSL/TLS clients may not support this feature.
- #
- # This is an experimental feature.
- TLS_CERTFILE=/etc/courier/pop3d.pem
- ##NAME: TLS_TRUSTCERTS:0
- #
- # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
- # pathname can be a file or a directory. If a file, the file should
- # contain a list of trusted certificates, in PEM format. If a
- # directory, the directory should contain the trusted certificates,
- # in PEM format, one per file and hashed using OpenSSL's c_rehash
- # script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
- # the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
- # to PEER or REQUIREPEER).
- #
- TLS_TRUSTCERTS=/etc/ssl/certs
- ##NAME: TLS_VERIFYPEER:0
- #
- # TLS_VERIFYPEER - how to verify client certificates. The possible values of
- # this setting are:
- #
- # NONE - do not verify anything
- #
- # PEER - verify the client certificate, if one's presented
- #
- # REQUIREPEER - require a client certificate, fail if one's not presented
- #
- #
- TLS_VERIFYPEER=NONE
- ##NAME: TLS_EXTERNAL:0
- #
- # To enable SSL certificate-based authentication:
- #
- # 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate
- # authority's SSL certificate
- #
- # 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings
- # requires all SSL clients to present a certificate, and rejects
- # SSL/TLS connections without a valid cert).
- #
- # 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID.
- # Example:
- #
- # TLS_EXTERNAL=emailaddress
- #
- # The above example retrieves the login ID from the "emailaddress" subject
- # field. The certificate's emailaddress subject must match exactly the login
- # ID in the courier-authlib database.
- ##NAME: TLS_CACHE:0
- #
- # A TLS/SSL session cache may slightly improve response for long-running
- # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
- # bytes long, and used as a cache buffer.
- #
- # This is an experimental feature and should be disabled if it causes
- # problems with SSL clients. Disable SSL caching by commenting out the
- # following settings:
- TLS_CACHEFILE=/var/lib/courier/couriersslcache
- TLS_CACHESIZE=524288
- ##NAME: MAILDIRPATH:0
- #
- # MAILDIRPATH - directory name of the maildir directory.
- #
- MAILDIRPATH=Maildir