Add option to drop root when starting couriertls.

author: Sam Varshavchik 2018-06-21 23:12:17 -0400
committer: Sam Varshavchik 2018-06-21 23:12:17 -0400
commit: 778d07bc34d03e4ad77e7438898a54f3dbb2e31a (patch)
tree: c60ee3cff13fb30b3022469fd6f9304f0b34cfda /imap
parent: 004fa65d2fc50e9901859708cfe00d11cf121e25 (diff)
download: courier-libs-778d07bc34d03e4ad77e7438898a54f3dbb2e31a.tar.bz2
6 files changed, 24 insertions, 12 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog
index e74c129..8908705 100644
--- a/imap/ChangeLog
+++ b/imap/ChangeLog
@@ -1,3 +1,16 @@
+2018-06-21  Sam Varshavchik  <mrsam@courier-mta.com>
+
+	* libs/tcpd/tlsclient.h: add username option, used in couriertls_start
+	to set the child process's uid and gid.
+
+	* imaplogin.c (starttls): Set username option for couriertls
+
+	* pop3login.c (starttls): Set username option for couriertls
+
+	* imapd-ssl.dist, pop3d-ssl.dist: Use separate imap and pop3 session
+	cache files. Startup script: remove/set ownership and permsission
+	on the imap and pop3 session cache files.
+
 2018-02-13  Sam Varshavchik  <mrsam@courier-mta.com>
 
 	* libs/tcpd/libcouriergnutls.c: Remove usage of deprecated OpenPGP
diff --git a/imap/configure.ac b/imap/configure.ac
index 40108cd..b7f31fd 100644
--- a/imap/configure.ac
+++ b/imap/configure.ac
@@ -99,6 +99,7 @@ AC_SUBST(RANDOMV)
 AC_ARG_WITH(mailuser, [], mailuser="$withval",
         AC_MSG_ERROR(--with-mailuser missing))
 AC_SUBST(mailuser)
+AC_DEFINE_UNQUOTED(MAILUSER, ["$mailuser"], [ Mail system user ])
 
 dnl Checks for libraries.
 
diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git
index df5cf02..50f1879 100644
--- a/imap/imapd-ssl.dist.in.git
+++ b/imap/imapd-ssl.dist.in.git
@@ -200,10 +200,8 @@ TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
 
 ##NAME: TLS_CERTFILE:0
 #
-# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
-# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
-# treated as confidential, and must not be world-readable. Set TLS_CERTFILE
-# instead of TLS_DHCERTFILE if this is a garden-variety certificate
+# TLS_CERTFILE - certificate to use. TLS_CERTFILE must be owned
+# by the "@mailuser@" user, and must not be world-readable.
 #
 # VIRTUAL HOSTS ON THE SAME IP ADDRESS.
 #
@@ -285,14 +283,14 @@ TLS_VERIFYPEER=NONE
 # field. The certificate's emailaddress subject must match exactly the login
 # ID in the courier-authlib database.
 
-##NAME: TLS_CACHE:0
+##NAME: TLS_CACHE:1
 #
 # A TLS/SSL session cache may slightly improve response for IMAP clients
 # that open multiple SSL sessions to the server.  TLS_CACHEFILE will be
 # automatically created, TLS_CACHESIZE bytes long, and used as a cache
 # buffer.
 
-TLS_CACHEFILE=@localstatedir@/couriersslcache
+TLS_CACHEFILE=@localstatedir@/couriersslpop3cache
 TLS_CACHESIZE=524288
 
 ##NAME: MAILDIRPATH:0
diff --git a/imap/imaplogin.c b/imap/imaplogin.c
index 0f0b0bf..a445a35 100644
--- a/imap/imaplogin.c
+++ b/imap/imaplogin.c
@@ -96,6 +96,7 @@ static int	starttls(const char *tag)
 
 	cmdsuccess(tag, "Begin SSL/TLS negotiation now.\r\n");
 	writeflush();
+	cinfo.username=MAILUSER;
 
 	if (couriertls_start(argvec, &cinfo))
 	{
diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git
index 43a68e5..ec16ce8 100644
--- a/imap/pop3d-ssl.dist.in.git
+++ b/imap/pop3d-ssl.dist.in.git
@@ -194,10 +194,8 @@ TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
 
 ##NAME: TLS_CERTFILE:0
 #
-# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
-# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
-# treated as confidential, and must not be world-readable. Set TLS_CERTFILE
-# instead of TLS_DHCERTFILE if this is a garden-variety certificate
+# TLS_CERTFILE - certificate to use. TLS_CERTFILE must be owned
+# by the "@mailuser@" user, and must not be world-readable.
 #
 # VIRTUAL HOSTS ON THE SAME IP ADDRESS.
 #
@@ -279,7 +277,7 @@ TLS_VERIFYPEER=NONE
 # field. The certificate's emailaddress subject must match exactly the login
 # ID in the courier-authlib database.
 
-##NAME: TLS_CACHE:0
+##NAME: TLS_CACHE:1
 #
 # A TLS/SSL session cache may slightly improve response for long-running
 # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
@@ -289,7 +287,7 @@ TLS_VERIFYPEER=NONE
 # problems with SSL clients.  Disable SSL caching by commenting out the
 # following settings:
 
-TLS_CACHEFILE=@localstatedir@/couriersslcache
+TLS_CACHEFILE=@localstatedir@/couriersslimapcache
 TLS_CACHESIZE=524288
 
 ##NAME: MAILDIRPATH:0
diff --git a/imap/pop3login.c b/imap/pop3login.c
index e6ee33f..d541254 100644
--- a/imap/pop3login.c
+++ b/imap/pop3login.c
@@ -75,6 +75,7 @@ static int	starttls()
 	printf("+OK Begin SSL/TLS negotiation now.\r\n");
 	fflush(stdout);
 	fflush(stdin);
+	cinfo.username=MAILUSER;
 
 	if (couriertls_start(argvec, &cinfo))
 	{
author	Sam Varshavchik	2018-06-21 23:12:17 -0400
committer	Sam Varshavchik	2018-06-21 23:12:17 -0400
commit	778d07bc34d03e4ad77e7438898a54f3dbb2e31a (patch)
tree	c60ee3cff13fb30b3022469fd6f9304f0b34cfda /imap
parent	004fa65d2fc50e9901859708cfe00d11cf121e25 (diff)
download	courier-libs-778d07bc34d03e4ad77e7438898a54f3dbb2e31a.tar.bz2