200 lines
6.0 KiB
Plaintext
200 lines
6.0 KiB
Plaintext
##VERSION: $Id: imapd-ssl.dist.in,v 1.11 2004/10/21 00:45:35 mrsam Exp $
|
|
#
|
|
# imapd-ssl created from imapd-ssl.dist by sysconftool
|
|
#
|
|
# Do not alter lines that begin with ##, they are used when upgrading
|
|
# this configuration.
|
|
#
|
|
# Copyright 2000 - 2004 Double Precision, Inc. See COPYING for
|
|
# distribution information.
|
|
#
|
|
# This configuration file sets various options for the Courier-IMAP server
|
|
# when used to handle SSL IMAP connections.
|
|
#
|
|
# SSL and non-SSL connections are handled by a dedicated instance of the
|
|
# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP
|
|
# connections, you will start two instances of couriertcpd, one on the
|
|
# IMAP port 143, and another one on the IMAP-SSL port 993.
|
|
#
|
|
# Download OpenSSL from http://www.openssl.org/
|
|
#
|
|
##NAME: SSLPORT:1
|
|
#
|
|
# Options in the imapd-ssl configuration file AUGMENT the options in the
|
|
# imapd configuration file. First the imapd configuration file is read,
|
|
# then the imapd-ssl configuration file, so we do not have to redefine
|
|
# anything.
|
|
#
|
|
# However, some things do have to be redefined. The port number is
|
|
# specified by SSLPORT, instead of PORT. The default port is port 993.
|
|
#
|
|
# Multiple port numbers can be separated by commas. When multiple port
|
|
# numbers are used it is possibly to select a specific IP address for a
|
|
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
|
|
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
|
|
# The SSLADDRESS setting is a default for ports that do not have
|
|
# a specified IP address.
|
|
|
|
SSLPORT=993
|
|
|
|
##NAME: SSLADDRESS:0
|
|
#
|
|
# Address to listen on, can be set to a single IP address.
|
|
#
|
|
# SSLADDRESS=127.0.0.1
|
|
|
|
SSLADDRESS=0
|
|
|
|
##NAME: SSLPIDFILE:0
|
|
#
|
|
# That's the SSL IMAP port we'll listen on.
|
|
# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP.
|
|
|
|
SSLPIDFILE=/var/run/imapd-ssl.pid
|
|
|
|
##NAME: IMAPDSSLSTART:0
|
|
#
|
|
# Different pid files, so that both instances of couriertcpd can coexist
|
|
# happily.
|
|
#
|
|
# You can also redefine IMAP_CAPABILITY, although I can't
|
|
# think of why you'd want to do that.
|
|
#
|
|
#
|
|
# Ok, the following settings are new to imapd-ssl:
|
|
#
|
|
# Whether or not to start IMAP over SSL on simap port:
|
|
|
|
IMAPDSSLSTART=YES
|
|
|
|
##NAME: IMAPDSTARTTLS:0
|
|
#
|
|
# Whether or not to implement IMAP STARTTLS extension instead:
|
|
|
|
IMAPDSTARTTLS=YES
|
|
|
|
##NAME: IMAP_TLS_REQUIRED:1
|
|
#
|
|
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
|
|
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
|
|
# is issued).
|
|
|
|
IMAP_TLS_REQUIRED=0
|
|
|
|
#########################################################################
|
|
#
|
|
# The following variables configure IMAP over SSL. If OpenSSL is available
|
|
# during configuration, the couriertls helper gets compiled, and upon
|
|
# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
|
|
# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
|
|
# and COURIERTLS exist.
|
|
#
|
|
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
|
|
# at your own risk. Only the basic SSL/TLS functionality is known to be
|
|
# working. Keep this in mind as you play with the following variables.
|
|
#
|
|
##NAME: COURIERTLS:0
|
|
#
|
|
|
|
COURIERTLS=/usr/sbin/couriertls
|
|
|
|
##NAME: TLS_PROTOCOL:0
|
|
#
|
|
# TLS_PROTOCOL sets the protocol version. The possible versions are:
|
|
#
|
|
# SSL2 - SSLv2
|
|
# SSL3 - SSLv3
|
|
# TLS1 - TLS1
|
|
|
|
TLS_PROTOCOL=SSL3
|
|
|
|
##NAME: TLS_STARTTLS_PROTOCOL:0
|
|
#
|
|
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
|
|
# extension, as opposed to IMAP over SSL on port 993.
|
|
#
|
|
|
|
TLS_STARTTLS_PROTOCOL=TLS1
|
|
|
|
##NAME: TLS_CIPHER_LIST:0
|
|
#
|
|
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
|
|
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
|
|
# undefined
|
|
#
|
|
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
|
|
|
|
##NAME: TLS_TIMEOUT:0
|
|
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
|
|
# This is supposed to be an inactivity timeout, but its not yet implemented.
|
|
#
|
|
|
|
##NAME: TLS_DHCERTFILE:0
|
|
#
|
|
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
|
|
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
|
|
# you must generate a DH pair that will be used. In most situations the
|
|
# DH pair is to be treated as confidential, and the file specified by
|
|
# TLS_DHCERTFILE must not be world-readable.
|
|
#
|
|
# TLS_DHCERTFILE=
|
|
|
|
##NAME: TLS_CERTFILE:0
|
|
#
|
|
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
|
|
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
|
|
# treated as confidential, and must not be world-readable.
|
|
#
|
|
TLS_CERTFILE=/etc/ssl/postfix/server.pem
|
|
|
|
##NAME: TLS_TRUSTCERTS:0
|
|
#
|
|
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
|
|
# pathname can be a file or a directory. If a file, the file should
|
|
# contain a list of trusted certificates, in PEM format. If a
|
|
# directory, the directory should contain the trusted certificates,
|
|
# in PEM format, one per file and hashed using OpenSSL's c_rehash
|
|
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
|
|
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
|
|
# to PEER or REQUIREPEER).
|
|
#
|
|
#
|
|
TLS_TRUSTCERTS=/etc/ssl/certs
|
|
|
|
##NAME: TLS_VERIFYPEER:0
|
|
#
|
|
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
|
|
# this setting are:
|
|
#
|
|
# NONE - do not verify anything
|
|
#
|
|
# PEER - verify the client certificate, if one's presented
|
|
#
|
|
# REQUIREPEER - require a client certificate, fail if one's not presented
|
|
#
|
|
#
|
|
TLS_VERIFYPEER=NONE
|
|
|
|
##NAME: TLS_CACHE:0
|
|
#
|
|
# A TLS/SSL session cache may slightly improve response for IMAP clients
|
|
# that open multiple SSL sessions to the server. TLS_CACHEFILE will be
|
|
# automatically created, TLS_CACHESIZE bytes long, and used as a cache
|
|
# buffer.
|
|
#
|
|
# This is an experimental feature and should be disabled if it causes
|
|
# problems with SSL clients. Disable SSL caching by commenting out the
|
|
# following settings:
|
|
|
|
TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache
|
|
TLS_CACHESIZE=524288
|
|
|
|
##NAME: MAILDIRPATH:0
|
|
#
|
|
# MAILDIRPATH - directory name of the maildir directory.
|
|
#
|
|
MAILDIRPATH=Maildir
|
|
|
|
#Hardwire a value for ${MAILDIR}
|
|
MAILDIRPATH=.maildir
|