diff options
| -rw-r--r-- | imap/imapd-ssl.dist.in.git | 2 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in.git | 2 | ||||
| -rw-r--r-- | tcpd/couriertls.sgml | 10 | ||||
| -rw-r--r-- | tcpd/libcouriertls.h | 6 |
4 files changed, 18 insertions, 2 deletions
diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git index 3873cb8..5204818 100644 --- a/imap/imapd-ssl.dist.in.git +++ b/imap/imapd-ssl.dist.in.git @@ -231,7 +231,7 @@ TLS_CERTFILE=@certsdir@/imapd.pem ##NAME: TLS_PRIVATE_KEYFILE:0 # -# TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting client data. +# TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data. # This file must be owned by the "@mailuser@" user, and must not be world # readable. # diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git index 5e0d6cf..9611524 100644 --- a/imap/pop3d-ssl.dist.in.git +++ b/imap/pop3d-ssl.dist.in.git @@ -225,7 +225,7 @@ TLS_CERTFILE=@certsdir@/pop3d.pem ##NAME: TLS_PRIVATE_KEYFILE:0 # -# TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting client data. +# TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data. # This file must be owned by the "@mailuser@" user, and must not be world # readable. # diff --git a/tcpd/couriertls.sgml b/tcpd/couriertls.sgml index a7a8e72..0711654 100644 --- a/tcpd/couriertls.sgml +++ b/tcpd/couriertls.sgml @@ -236,6 +236,16 @@ for SSL/TLS clients. </varlistentry> <varlistentry> + <term>TLS_PRIVATE_KEYFILE=<replaceable>filename</replaceable></term> + <listitem> + <para> +SSL/TLS private key for decrypting client data. +<envar>TLS_PRIVATE_KEY</envar> is optional because <term>TLS_CERTFILE</term> is generated including cert and private key both. +<replaceable>filename</replaceable> must not be world-readable.</para> + </listitem> + </varlistentry> + + <varlistentry> <term>TLS_TRUSTCERTS=<replaceable>pathname</replaceable></term> <listitem> <para> diff --git a/tcpd/libcouriertls.h b/tcpd/libcouriertls.h index 17faabc..a45f910 100644 --- a/tcpd/libcouriertls.h +++ b/tcpd/libcouriertls.h @@ -325,6 +325,12 @@ TLS_CERTFILE is required for SSL/TLS servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually treated as confidential, and must not be world-readable. +TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data. +By default, courier generates SSL/TLS certifice including private key +and install it in TLS_CERTFILE path, so TLS_PRIVATE_KEYFILE is completely +optional. If TLS_PRIVATE_KEYFILE is not set (default), TLS_CERTFILE is +treated as certificate including private key file. + TLS_TRUSTCERTS=pathname - load trusted root certificates from pathname. pathname can be a file or a directory. If a file, the file should contain a list of trusted certificates, in PEM format. If a |