1 files changed, 45 insertions, 24 deletions

diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git
index 50f1879..8ed9e36 100644
--- a/imap/imapd-ssl.dist.in.git
+++ b/imap/imapd-ssl.dist.in.git
@@ -5,7 +5,7 @@
 # Do not alter lines that begin with ##, they are used when upgrading
 # this configuration.
 #
-#  Copyright 2000 - 2016 Double Precision, Inc.  See COPYING for
+#  Copyright 2000 - 2019 Double Precision, Inc.  See COPYING for
 #  distribution information.
 #
 #  This configuration file sets various options for the Courier-IMAP server
@@ -106,9 +106,9 @@ COURIERTLS=@bindir@/couriertls
 
 ##NAME: TLS_PRIORITY:0
 #
-# GnuTLS setting only
+# GnuTLS setting only (use TLS_CIPHER_LIST for OpenSSL)
 #
-# Set TLS protocol priority settings (GnuTLS only)
+# Set TLS protocol priority settings
 #
 # DEFAULT: NORMAL:-CTYPE-OPENPGP
 #
@@ -144,33 +144,15 @@ COURIERTLS=@bindir@/couriertls
 
 ##NAME: TLS_CIPHER_LIST:0
 #
+# OpenSSL only (use TLS_PRIORITY for GnuTLS):
+#
 # TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
 # OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
 # undefined
 #
-# OpenSSL:
-#
 # TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
 #
-# GnuTLS:
-#
-# TLS_CIPHER_LIST="HIGH:MEDIUM"
-#
-# The actual list of available ciphers depend on the options GnuTLS was
-# compiled against. The possible ciphers are:
-#
-# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
-#
-# Also, the following aliases:
-#
-# HIGH -- all ciphers that use more than a 128 bit key size
-# MEDIUM -- all ciphers that use a 128 bit key size
-# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
-#        is not included
-# ALL -- all ciphers except the NULL cipher
-#
-# See GnuTLS documentation, gnutls_priority_init(3) for additional
-# documentation.
+# See the OpenSSL ciphers(1) manual page for the format of this setting.
 
 ##NAME: TLS_STARTTLS_PROTOCOL:0
 #
@@ -229,6 +211,45 @@ TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
 
 TLS_CERTFILE=@certsdir@/imapd.pem
 
+##NAME: TLS_PRIVATE_KEYFILE:0
+#
+# TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data.
+# This file must be owned by the "@mailuser@" user, and must not be world
+# readable, and must be accessible without a pass-phrase, i.e. it must not
+# be encrypted.
+#
+# By default, courier generates SSL/TLS certifice including private key
+# and install it in TLS_CERTFILE path, so TLS_PRIVATE_KEYFILE is completely
+# optional. If TLS_PRIVATE_KEYFILE is not set (default), TLS_CERTFILE is
+# treated as certificate including private key file.
+#
+# If you get SSL/TLS certificate and private key from trusted certificate
+# authority(CA) and want to install them separately, TLS_PRIVATE_KEYFILE can
+# be used as private key file path setting.
+#
+# VIRTUAL HOSTS ON THE SAME IP ADDRESS.
+#
+# $TLS_PRIVATE_KEYFILE.domain and $TLS_CERTFILE.domain are a pair.
+# If you use VIRTUAL HOST feature on TLS_CERTFILE setting, you must set pair
+# private key as $TLS_PRIVATE_KEYFILE.domain. Then, create a link from
+# $TLS_PRIVATE_KEYFILE to whichever private key you consider to be the main one.
+# for example:
+# /etc/tls_private_keyfile.pem => /etc/tls_private_keyfile.pem.www.example.com
+#
+# IP-BASED VIRTUAL HOSTS:
+#
+# Just described on "VIRTUAL HOSTS ON THE SAME IP ADDRESS" above,
+# $TLS_PRIVATE_KEYFILE.aaa.bbb.ccc.ddd and $TLS_CERTFILE.aaa.bbb.ccc.ddd are
+# a pair. If TLS_PRIVATE_KEYFILE is set to /etc/tls_private_keyfile.pem,
+# then you'll need to install the actual certificate files as
+# /etc/tls_private_keyfile.pem.192.168.0.2, /etc/tls_private_keyfile.192.168.0.3
+# and so on, for each IP address.
+#
+# In all cases, $TLS_PRIVATE_KEYFILE needs to be linked to one of the existing
+# certificate files.
+#
+#TLS_PRIVATE_KEYFILE=@certsdir@/imapd_private_key.pem
+
 ##NAME: TLS_DHPARAMS:0
 #
 # TLS_DHPARAMS - DH parameter file.