Update DH parameter configuration scripts.

* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the
TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality.
Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS
environment variable.

* mkdhparams: New script that generates DH parameters into a standalone
file.

* Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and
esmtpd-ssl. Add TLS_DHPARAMS.

* Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl,
set default number of bits for RSA keys to 4096.

12 files changed, 201 insertions, 30 deletions

diff --git a/imap/.gitignore b/imap/.gitignore
index 4b8bc07..3687d22 100644
--- a/imap/.gitignore
+++ b/imap/.gitignore
@@ -17,6 +17,11 @@
 /imapd.html.in
 /imapd.pam
 /imaplogin
+/mkdhparams
+/mkdhparams.8
+/mkdhparams.8.in
+/mkdhparams.html
+/mkdhparams.html.in
 /mkimapdcert
 /mkimapdcert.8
 /mkimapdcert.8.in
diff --git a/imap/ChangeLog b/imap/ChangeLog
index 297b0cc..a5eeb40 100644
--- a/imap/ChangeLog
+++ b/imap/ChangeLog
@@ -1,3 +1,19 @@
+2013-11-10  Sam Varshavchik  <mrsam@courier-mta.com>
+
+	* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the
+	TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality.
+	Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS
+	environment variable.
+
+	* mkdhparams: New script that generates DH parameters into a standalone
+	file.
+
+	* Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and
+	esmtpd-ssl. Add TLS_DHPARAMS.
+
+	* Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl,
+	set default number of bits for RSA keys to 4096.
+
 2013-10-14  Sam Varshavchik  <mrsam@courier-mta.com>
 
 	* libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and
diff --git a/imap/Makefile.am b/imap/Makefile.am
index 46a1e41..ef36662 100644
--- a/imap/Makefile.am
+++ b/imap/Makefile.am
@@ -8,22 +8,25 @@ BUILT_SOURCES=README.proxy
 
 DISTCLEANFILES=imapd.pam pop3d.pam imapd.cnf pop3d.cnf
 CLEANFILES=imapd.8 imapd.html mkimapdcert.html mkimapdcert.8 \
+	mkdhparams.html mkdhparams.8 \
 	courierpop3d.html courierpop3d.8 mkpop3dcert.html mkpop3dcert.8
 
 EXTRA_DIST=testsuite testsuite.txt smaptestsuite smaptestsuite.txt \
 	BUGS BUGS.html README README.html imapd.authpam \
 	pop3d.authpam system-auth.authpam system-auth2.authpam\
 	imapd.html.in imapd.8.in \
+	mkdhparams.html.in mkdhparams.8.in \
 	mkimapdcert.html.in mkimapdcert.8.in \
 	mkpop3dcert.html.in mkpop3dcert.8.in \
 	courierpop3d.html.in courierpop3d.8.in \
 	README.proxy README.proxy.html \
 	imapd.cnf.gnutls pop3d.cnf.gnutls
 
-noinst_SCRIPTS=mkimapdcert mkpop3dcert
+noinst_SCRIPTS=mkimapdcert mkpop3dcert mkdhparams
 noinst_PROGRAMS=imaplogin imapd pop3login pop3d
 
 noinst_DATA=imapd.8 imapd.html imapd.cnf pop3d.cnf \
+	mkdhparams.html mkdhparams.8 \
 	mkimapdcert.html mkimapdcert.8 \
 	mkpop3dcert.html mkpop3dcert.8 \
 	courierpop3d.html courierpop3d.8
@@ -102,6 +105,12 @@ imapd.html: imapd.html.in
 imapd.8: imapd.8.in
 	./config.status --file=imapd.8
 
+mkdhparams.html: mkdhparams.html.in
+	./config.status --file=mkdhparams.html
+
+mkdhparams.8: mkdhparams.8.in
+	./config.status --file=mkdhparams.8
+
 mkimapdcert.html: mkimapdcert.html.in
 	./config.status --file=mkimapdcert.html
 
@@ -128,6 +137,13 @@ imapd.8.in: imapd.sgml ../docbook/sgml2man
 	../docbook/sgml2man imapd.sgml imapd.8.in
 	mv imapd.8 imapd.8.in
 
+mkdhparams.html.in: mkdhparams.sgml ../docbook/sgml2html
+	../docbook/sgml2html mkdhparams.sgml mkdhparams.html.in
+
+mkdhparams.8.in: mkdhparams.sgml ../docbook/sgml2man
+	../docbook/sgml2man mkdhparams.sgml mkdhparams.8.in
+	mv mkdhparams.8 mkdhparams.8.in
+
 mkimapdcert.html.in: mkimapdcert.sgml ../docbook/sgml2html
 	../docbook/sgml2html mkimapdcert.sgml mkimapdcert.html.in
 
diff --git a/imap/configure.ac b/imap/configure.ac
index 7253d96..e60a5b5 100644
--- a/imap/configure.ac
+++ b/imap/configure.ac
@@ -367,5 +367,5 @@ int main()
 AC_SUBST(cacerts)
 
 AC_OUTPUT(Makefile imapd.dist imapd-ssl.dist pop3d.dist pop3d-ssl.dist
-	testsuitefix.pl mkimapdcert mkpop3dcert
+	testsuitefix.pl mkimapdcert mkpop3dcert mkdhparams
 	imapd.cnf.openssl pop3d.cnf.openssl)
diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in
index ac2f468..609c5aa 100644
--- a/imap/imapd-ssl.dist.in
+++ b/imap/imapd-ssl.dist.in
@@ -194,16 +194,6 @@ COURIERTLS=@bindir@/couriertls
 # This is supposed to be an inactivity timeout, but its not yet implemented.
 #
 
-##NAME: TLS_DHCERTFILE:0
-#
-# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
-# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
-# you must generate a DH pair that will be used.  In most situations the
-# DH pair is to be treated as confidential, and the file specified by
-# TLS_DHCERTFILE must not be world-readable.
-#
-# TLS_DHCERTFILE=
-
 ##NAME: TLS_CERTFILE:0
 #
 # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
@@ -238,6 +228,12 @@ COURIERTLS=@bindir@/couriertls
 
 TLS_CERTFILE=@certsdir@/imapd.pem
 
+##NAME: TLS_DHPARAMS:0
+#
+# TLS_DHPARAMS - DH parameter file.
+#
+TLS_DHPARAMS=@certsdir@/dhparams.pem
+
 ##NAME: TLS_TRUSTCERTS:0
 #
 # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
diff --git a/imap/imapd.cnf.openssl.in b/imap/imapd.cnf.openssl.in
index 0c66526..db9c732 100644
--- a/imap/imapd.cnf.openssl.in
+++ b/imap/imapd.cnf.openssl.in
@@ -2,7 +2,7 @@
 RANDFILE = @certsdir@/imapd.rand
 
 [ req ]
-default_bits = 1024
+default_bits = 4096
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = cert_type
diff --git a/imap/mkdhparams.in b/imap/mkdhparams.in
new file mode 100644
index 0000000..f5bddfa
--- /dev/null
+++ b/imap/mkdhparams.in
@@ -0,0 +1,44 @@
+#! @SHELL@
+#
+# Copyright 2013 Double Precision, Inc.  See COPYING for
+# distribution information.
+#
+# Run this script monthly to generate DH parameters.
+
+if test -f @certsdir@/dhparams.pem
+then
+    if test "`find @certsdir@/dhparams.pem -mtime +25 -print `" = ""
+    then
+	# Less than 25 days old
+	exit 0
+    fi
+fi
+
+set -e
+
+cp /dev/null @certsdir@/dhparams.pem.tmp
+chmod 600 @certsdir@/dhparams.pem.tmp
+chown @mailuser@ @certsdir@/dhparams.pem.tmp
+
+BITS="$DH_BITS"
+if test "@ssllib@" = "openssl"
+then
+    if test "$BITS" = ""
+    then
+	BITS=768
+    fi
+
+    dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null
+    @OPENSSL@ dhparam -rand @certsdir@/dhparams.rand.tmp -outform PEM $BITS >@certsdir@/dhparams.pem.tmp
+    rm -f @certsdir@/dhparams.rand.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+else
+    if test "$BITS" = ""
+    then
+	BITS=high
+    fi
+
+    @CERTTOOL@ --generate-dh-params --sec-param $BITS >@certsdir@/dhparams.pem.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+fi
+
diff --git a/imap/mkdhparams.sgml b/imap/mkdhparams.sgml
new file mode 100644
index 0000000..086a530
--- /dev/null
+++ b/imap/mkdhparams.sgml
@@ -0,0 +1,81 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<!-- Copyright 2013 Double Precision, Inc.  See COPYING for -->
+<!-- distribution information. -->
+<refentry>
+  <info><author><firstname>Sam</firstname><surname>Varshavchik</surname><contrib>Author</contrib></author><productname>Courier Mail Server</productname></info>
+
+  <refmeta>
+    <refentrytitle>mkdhparams</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>Double Precision, Inc.</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>mkdhparams</refname>
+    <refpurpose>create DH parameter file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>@sbindir@/mkdhparams</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para>
+      This script creates new DH parameters and saves them in
+      <filename>@certsdir@/dhparams.pem</filename>. If this file already exists
+      and it's less than 25 days old, the script returns immediately.
+      If this file is over 25 days old, new DH parameters get generated and
+      the file gets replaced.
+    </para>
+
+    <para>
+      This script is intended to be execute when the system boots, or from
+      a monthly cron job.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>@certsdir@/dhparams.pem</term>
+	<listitem>
+	  <simpara>
+	    DH Parameter file.
+	  </simpara>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>ENVIRONMENT VARIABLES</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>BITS</term>
+	<listitem>
+	  <simpara>
+	    Customize the DH parameter bit size. The default value depends on
+	    whether this script uses OpenSSL or GnuTLS libraries. For OpenSSL
+	    the default number of bits is 768. GnuTLS uses a security level
+	    setting, rather than the number of bits, and the default
+	    security level is "high".
+	  </simpara>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+
+    <para>
+      <ulink url="courier.html"><citerefentry><refentrytitle>courier</refentrytitle><manvolnum>8</manvolnum></citerefentry></ulink></para>
+  </refsect1>
+</refentry>
diff --git a/imap/mkimapdcert.in b/imap/mkimapdcert.in
index 4156975..3bc1df1 100644
--- a/imap/mkimapdcert.in
+++ b/imap/mkimapdcert.in
@@ -24,6 +24,9 @@ then
 fi
 
 umask 077
+set -e
+
+BITS="$BITS"
 
 cleanup() {
 	rm -f @certsdir@/imapd.pem
@@ -44,20 +47,26 @@ then
 	dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null
 	@OPENSSL@ req -new -x509 -days 365 -nodes \
 		  -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup
-	@OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup
 	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup
 	rm -f @certsdir@/imapd.rand
 else
+	if test "$BITS" = ""
+	then
+		BITS="high"
+	fi
 	cp /dev/null @certsdir@/imapd.key
 	chmod 600 @certsdir@/imapd.key
 	cp /dev/null @certsdir@/imapd.cert
 	chmod 600 @certsdir@/imapd.cert
 	cp /dev/null @certsdir@/imapd.pem
 	chmod 600 @certsdir@/imapd.pem
+	chown @mailuser@ @certsdir@/imapd.pem
+	cp /dev/null @certsdir@/imapd.pem
+	cp /dev/null @certsdir@/imapd.cert
+	cp /dev/null @certsdir@/imapd.key
 
-	@CERTTOOL@ --generate-privkey --outfile imapd.key
+	@CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile imapd.key
 	@CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf
-	@CERTTOOL@ --generate-dh-params >>imapd.cert
 	cat imapd.key imapd.cert >imapd.pem
 	rm -f imapd.key imapd.cert
 fi
diff --git a/imap/mkpop3dcert.in b/imap/mkpop3dcert.in
index 9a4c530..5d48a1f 100644
--- a/imap/mkpop3dcert.in
+++ b/imap/mkpop3dcert.in
@@ -24,6 +24,7 @@ then
 fi
 
 umask 077
+set -e
 
 cleanup() {
 	rm -f @certsdir@/pop3d.pem
@@ -34,6 +35,9 @@ cleanup() {
 }
 
 cd @certsdir@
+umask 077
+BITS="$BITS"
+set -e
 
 if test "@ssllib@" = "openssl"
 then
@@ -44,20 +48,24 @@ then
 	dd if=@RANDOMV@ of=@certsdir@/pop3d.rand count=1 2>/dev/null
 	@OPENSSL@ req -new -x509 -days 365 -nodes \
 		  -config @sysconfdir@/pop3d.cnf -out @certsdir@/pop3d.pem -keyout @certsdir@/pop3d.pem || cleanup
-	@OPENSSL@ gendh -rand @certsdir@/pop3d.rand 512 >>@certsdir@/pop3d.pem || cleanup
 	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/pop3d.pem || cleanup
 	rm -f @certsdir@/pop3d.rand
 else
+	if test "$BITS" = ""
+	then
+		BITS="high"
+	fi
+
 	cp /dev/null @certsdir@/pop3d.key
 	chmod 600 @certsdir@/pop3d.key
 	cp /dev/null @certsdir@/pop3d.cert
 	chmod 600 @certsdir@/pop3d.cert
 	cp /dev/null @certsdir@/pop3d.pem
 	chmod 600 @certsdir@/pop3d.pem
+	chown @mailuser@ @certsdir@/pop3d.pem
 
-	@CERTTOOL@ --generate-privkey --outfile pop3d.key
+	@CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile pop3d.key
 	@CERTTOOL@ --generate-self-signed --load-privkey pop3d.key --outfile pop3d.cert --template @sysconfdir@/pop3d.cnf
-	@CERTTOOL@ --generate-dh-params >>pop3d.cert
 	cat pop3d.key pop3d.cert >pop3d.pem
 	rm -f pop3d.key pop3d.cert
 fi
diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in
index 81a395a..1164b77 100644
--- a/imap/pop3d-ssl.dist.in
+++ b/imap/pop3d-ssl.dist.in
@@ -158,16 +158,6 @@ COURIERTLS=@bindir@/couriertls
 # This is supposed to be an inactivity timeout, but its not yet implemented.
 #
 
-##NAME: TLS_DHCERTFILE:0
-#
-# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
-# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
-# you must generate a DH pair that will be used.  In most situations the
-# DH pair is to be treated as confidential, and the file specified by
-# TLS_DHCERTFILE must not be world-readable.
-#
-# TLS_DHCERTFILE=
-
 ##NAME: TLS_CERTFILE:0
 #
 # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
@@ -202,6 +192,12 @@ COURIERTLS=@bindir@/couriertls
 
 TLS_CERTFILE=@certsdir@/pop3d.pem
 
+##NAME: TLS_DHPARAMS:0
+#
+# TLS_DHPARAMS - DH parameter file.
+#
+TLS_DHPARAMS=@certsdir@/dhparams.pem
+
 ##NAME: TLS_TRUSTCERTS:0
 #
 # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
diff --git a/imap/pop3d.cnf.openssl.in b/imap/pop3d.cnf.openssl.in
index 971965e..5ef1d47 100644
--- a/imap/pop3d.cnf.openssl.in
+++ b/imap/pop3d.cnf.openssl.in
@@ -2,7 +2,7 @@
 RANDFILE = @certsdir@/pop3d.rand
 
 [ req ]
-default_bits = 1024
+default_bits = 4096
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = cert_type