1##VERSION: $Id: esmtpd-ssl.dist.in,v 1.14 2010/02/02 22:30:00 mrsam Exp $ 2# 3# esmtpd-ssl created from esmtpd-ssl.dist by sysconftool 4# 5# Do not alter lines that begin with ##, they are used when upgrading 6# this configuration. 7# 8# Copyright 2000-2008 Double Precision, Inc. See COPYING for 9# distribution information. 10# 11# This configuration file sets various options for the Courier-SMTP server 12# when used to handle SSL ESMTP connections. 13# 14# SSL and non-SSL connections are handled by a dedicated instance of the 15# couriertcpd daemon. If you are accepting both SSL and non-SSL ESMTP 16# connections, you will start two instances of couriertcpd, one on the 17# ESMTP port 25, and another one on the ESMTP-SSL port 465. 18# 19# Download OpenSSL from http://www.openssl.org/ 20# 21##NAME: install_prefix:0 22# 23# Do not change the following settings. 24 25prefix=@prefix@ 26exec_prefix=@exec_prefix@ 27 28##NAME: BOFHCHECKDNS:0 29# 30# Comment out the following line in order to accept mail with a bad 31# return address. 32 33BOFHCHECKDNS=1 34 35##NAME: BOFHNOEXPN:1 36# 37# Set BOFHNOEXP to 1 to disable EXPN 38 39BOFHNOEXPN=0 40 41##NAME: BOFHNOVRFY:1 42# 43# Set BOFHNOVERIFY to disable VRFY 44 45BOFHNOVRFY=0 46 47##NAME: TARPIT:1 48# 49# Set TARPIT to 0 to disable tarpitting 50 51TARPIT=1 52 53##NAME: NOADDMSGID:0 54# 55# The following environment variables keep Courier from adding 56# default Date: and Message-ID: header to messages which do not have them. 57# If you would like to add default headers only for mail from certain 58# IP address ranges, you can override them in couriertcpd access file, 59# see couriertcpd(8). 60 61NOADDMSGID=1 62 63##NAME: NOADDDATE:0 64# 65 66NOADDDATE=1 67 68##NAME: ESMTP_LOG_DIALOG:0 69# 70# If set, log the esmtp dialog. 71 72ESMTP_LOG_DIALOG=0 73 74##NAME: AUTH_REQUIRED:0 75# 76# Set AUTH_REQUIRED to 1 in order to force the client to use ESMTP 77# authentication. You can override AUTH_REQUIRED on a per-IP address basis 78# using smtpaccess. See makesmtpaccess(8). 79 80AUTH_REQUIRED=0 81 82##NAME: SSLPORT:0 83# 84# Options in the esmtpd-ssl configuration file AUGMENT the options in the 85# esmtpd configuration file. First the esmtpd configuration file is read, 86# then the esmtpd-ssl configuration file, so we do not have to redefine 87# anything. 88# 89# However, some things do have to be redefined. The port number is 90# specified by SSLPORT, instead of PORT. The default port is port 465. 91# 92# Multiple port numbers can be separated by commas. When multiple port 93# numbers are used it is possibly to select a specific IP address for a 94# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900" 95# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1 96# The SSLADDRESS setting is a default for ports that do not have 97# a specified IP address. 98 99SSLPORT=465 100 101##NAME: SSLADDRESS:0 102# 103# Address to listen on, can be set to a single IP address. 104# 105# SSLADDRESS=127.0.0.1 106 107SSLADDRESS=0 108 109##NAME: SSLPIDFILE:0 110# 111# 112 113SSLPIDFILE=@piddir@/esmtpd-ssl.pid 114 115##NAME: ESMTPDSSLSTART:0 116# 117# Whether or not to start ESMTP over SSL on esmtps port: 118 119ESMTPDSSLSTART=NO 120 121##NAME: COURIERTLS:0 122# 123# The following variables configure ESMTP over SSL. If OpenSSL or GnuTLS 124# is available during configuration, the couriertls helper gets compiled, and 125# upon installation a dummy TLS_CERTFILE gets generated. courieresmtpd will 126# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE 127# and COURIERTLS exist. 128# 129# WARNING: Peer certificate verification has NOT yet been tested. Proceed 130# at your own risk. Only the basic SSL/TLS functionality is known to be 131# working. Keep this in mind as you play with the following variables. 132# 133 134COURIERTLS=@bindir@/couriertls 135 136##NAME: TLS_PROTOCOL:0 137# 138# TLS_PROTOCOL sets the protocol version. The possible versions are: 139# 140# OpenSSL: 141# 142# SSL2 - SSLv2 143# SSL3 - SSLv3 144# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) 145# TLS1 - TLS1 146# 147# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST 148# setting, below. 149# 150# GnuTLS: 151# 152# SSL3 - SSLv3 153# TLS1 - TLS 1.0 154# TLS1_1 - TLS 1.1 155# 156# When compiled against GnuTLS, multiple protocols can be selected as follows: 157# 158# TLS_PROTOCOL="TLS1_1:TLS1:SSL3" 159# 160# DEFAULT VALUES: 161# 162# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS) 163 164##NAME: TLS_CIPHER_LIST:0 165# 166# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the 167# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST 168# undefined 169# 170# OpenSSL: 171# 172# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" 173# 174# To enable SSL2, remove the obvious "!SSLv2" part from the above list. 175# 176# GnuTLS: 177# 178# TLS_CIPHER_LIST="HIGH:MEDIUM" 179# 180# The actual list of available ciphers depend on the options GnuTLS was 181# compiled against. The possible ciphers are: 182# 183# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL 184# 185# Also, the following aliases: 186# 187# HIGH -- all ciphers that use more than a 128 bit key size 188# MEDIUM -- all ciphers that use a 128 bit key size 189# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher 190# is not included 191# ALL -- all ciphers except the NULL cipher 192 193##NAME: TLS_KX_LIST:0 194# 195# GnuTLS only: 196# 197# Allowed key exchange protocols. The default of "ALL" should be sufficient. 198# The list of supported key exchange protocols depends on the options GnuTLS 199# was compiled against, but may include the following: 200# 201# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT 202 203TLS_KX_LIST=ALL 204 205##NAME: TLS_COMPRESSION:0 206# 207# GnuTLS only: 208# 209# Optional compression. "ALL" selects all available compression methods. 210# 211# Available compression methods: DEFLATE, LZO, NULL 212 213TLS_COMPRESSION=ALL 214 215##NAME: TLS_CERTS:0 216# 217# GnuTLS only: 218# 219# Supported certificate types are X509 and OPENPGP. 220# 221# OPENPGP has not been tested 222 223TLS_CERTS=X509 224 225##NAME: TLS_TIMEOUT:0 226# TLS_TIMEOUT is currently not implemented, and reserved for future use. 227# This is supposed to be an inactivity timeout, but its not yet implemented. 228# 229 230##NAME: TLS_DHCERTFILE:0 231# 232# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. 233# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA 234# you must generate a DH pair that will be used. In most situations the 235# DH pair is to be treated as confidential, and the file specified by 236# TLS_DHCERTFILE must not be world-readable. 237# 238# TLS_DHCERTFILE= 239 240##NAME: TLS_CERTFILE:0 241# 242# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS 243# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually 244# treated as confidential, and must not be world-readable. Set TLS_CERTFILE 245# instead of TLS_DHCERTFILE if this is a garden-variety certificate 246# 247# VIRTUAL HOSTS (servers only): 248# 249# Due to technical limitations in the original SSL/TLS protocol, a dedicated 250# IP address is required for each virtual host certificate. If you have 251# multiple certificates, install each certificate file as 252# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address 253# for the certificate's domain name. So, if TLS_CERTFILE is set to 254# /etc/certificate.pem, then you'll need to install the actual certificate 255# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3 256# and so on, for each IP address. 257# 258# GnuTLS only (servers only): 259# 260# GnuTLS implements a new TLS extension that eliminates the need to have a 261# dedicated IP address for each SSL/TLS domain name. Install each certificate 262# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem, 263# then you'll need to install the actual certificate files as 264# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com 265# and so on. 266# 267# Note that this TLS extension also requires a corresponding support in the 268# client. Older SSL/TLS clients may not support this feature. 269# 270# This is an experimental feature. 271 272TLS_CERTFILE=@sysconfdir@/esmtpd.pem 273 274##NAME: TLS_TRUSTCERTS:0 275# 276# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. 277# pathname can be a file or a directory. If a file, the file should 278# contain a list of trusted certificates, in PEM format. If a 279# directory, the directory should contain the trusted certificates, 280# in PEM format, one per file and hashed using OpenSSL's c_rehash 281# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying 282# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set 283# to PEER or REQUIREPEER). 284 285TLS_TRUSTCERTS=@cacerts@ 286 287##NAME: TLS_VERIFYPEER:0 288# 289# TLS_VERIFYPEER - how to verify client certificates. The possible values of 290# this setting are: 291# 292# NONE - do not verify anything 293# 294# PEER - verify the client certificate, if one's presented 295# 296# REQUIREPEER - require a client certificate, fail if one's not presented 297# 298# 299TLS_VERIFYPEER=NONE 300 301##NAME: TLS_EXTERNAL:0 302# 303# To enable SSL certificate-based authentication: 304# 305# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate 306# authority's SSL certificate 307# 308# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings 309# requires all SSL clients to present a certificate, and rejects 310# SSL/TLS connections without a valid cert). 311# 312# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID. 313# Example: 314# 315# TLS_EXTERNAL=emailaddress 316# 317# The above example retrieves the login ID from the "emailaddress" subject 318# field. The certificate's emailaddress subject must match exactly the login 319# ID in the courier-authlib database. 320 321##NAME: MAXDAEMONS:0 322# 323# Maximum number of daemons started 324# 325 326MAXDAEMONS=40 327 328##NAME: MAXPERC:0 329# 330# Maximum number of connections accepted from the same C address block 331# 332 333MAXPERC=5 334 335##NAME: MAXPERIP:0 336# 337# 338# Maximum number of connections accepted from the same IP address 339 340MAXPERIP=5 341