diff options
Diffstat (limited to 'imap')
| -rw-r--r-- | imap/ChangeLog | 13 | ||||
| -rw-r--r-- | imap/configure.ac | 1 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in.git | 10 | ||||
| -rw-r--r-- | imap/imaplogin.c | 1 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in.git | 10 | ||||
| -rw-r--r-- | imap/pop3login.c | 1 |
6 files changed, 24 insertions, 12 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog index e74c129..8908705 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,16 @@ +2018-06-21 Sam Varshavchik <mrsam@courier-mta.com> + + * libs/tcpd/tlsclient.h: add username option, used in couriertls_start + to set the child process's uid and gid. + + * imaplogin.c (starttls): Set username option for couriertls + + * pop3login.c (starttls): Set username option for couriertls + + * imapd-ssl.dist, pop3d-ssl.dist: Use separate imap and pop3 session + cache files. Startup script: remove/set ownership and permsission + on the imap and pop3 session cache files. + 2018-02-13 Sam Varshavchik <mrsam@courier-mta.com> * libs/tcpd/libcouriergnutls.c: Remove usage of deprecated OpenPGP diff --git a/imap/configure.ac b/imap/configure.ac index 40108cd..b7f31fd 100644 --- a/imap/configure.ac +++ b/imap/configure.ac @@ -99,6 +99,7 @@ AC_SUBST(RANDOMV) AC_ARG_WITH(mailuser, [], mailuser="$withval", AC_MSG_ERROR(--with-mailuser missing)) AC_SUBST(mailuser) +AC_DEFINE_UNQUOTED(MAILUSER, ["$mailuser"], [ Mail system user ]) dnl Checks for libraries. diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git index df5cf02..50f1879 100644 --- a/imap/imapd-ssl.dist.in.git +++ b/imap/imapd-ssl.dist.in.git @@ -200,10 +200,8 @@ TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL" ##NAME: TLS_CERTFILE:0 # -# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS -# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually -# treated as confidential, and must not be world-readable. Set TLS_CERTFILE -# instead of TLS_DHCERTFILE if this is a garden-variety certificate +# TLS_CERTFILE - certificate to use. TLS_CERTFILE must be owned +# by the "@mailuser@" user, and must not be world-readable. # # VIRTUAL HOSTS ON THE SAME IP ADDRESS. # @@ -285,14 +283,14 @@ TLS_VERIFYPEER=NONE # field. The certificate's emailaddress subject must match exactly the login # ID in the courier-authlib database. -##NAME: TLS_CACHE:0 +##NAME: TLS_CACHE:1 # # A TLS/SSL session cache may slightly improve response for IMAP clients # that open multiple SSL sessions to the server. TLS_CACHEFILE will be # automatically created, TLS_CACHESIZE bytes long, and used as a cache # buffer. -TLS_CACHEFILE=@localstatedir@/couriersslcache +TLS_CACHEFILE=@localstatedir@/couriersslpop3cache TLS_CACHESIZE=524288 ##NAME: MAILDIRPATH:0 diff --git a/imap/imaplogin.c b/imap/imaplogin.c index 0f0b0bf..a445a35 100644 --- a/imap/imaplogin.c +++ b/imap/imaplogin.c @@ -96,6 +96,7 @@ static int starttls(const char *tag) cmdsuccess(tag, "Begin SSL/TLS negotiation now.\r\n"); writeflush(); + cinfo.username=MAILUSER; if (couriertls_start(argvec, &cinfo)) { diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git index 43a68e5..ec16ce8 100644 --- a/imap/pop3d-ssl.dist.in.git +++ b/imap/pop3d-ssl.dist.in.git @@ -194,10 +194,8 @@ TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL" ##NAME: TLS_CERTFILE:0 # -# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS -# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually -# treated as confidential, and must not be world-readable. Set TLS_CERTFILE -# instead of TLS_DHCERTFILE if this is a garden-variety certificate +# TLS_CERTFILE - certificate to use. TLS_CERTFILE must be owned +# by the "@mailuser@" user, and must not be world-readable. # # VIRTUAL HOSTS ON THE SAME IP ADDRESS. # @@ -279,7 +277,7 @@ TLS_VERIFYPEER=NONE # field. The certificate's emailaddress subject must match exactly the login # ID in the courier-authlib database. -##NAME: TLS_CACHE:0 +##NAME: TLS_CACHE:1 # # A TLS/SSL session cache may slightly improve response for long-running # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE @@ -289,7 +287,7 @@ TLS_VERIFYPEER=NONE # problems with SSL clients. Disable SSL caching by commenting out the # following settings: -TLS_CACHEFILE=@localstatedir@/couriersslcache +TLS_CACHEFILE=@localstatedir@/couriersslimapcache TLS_CACHESIZE=524288 ##NAME: MAILDIRPATH:0 diff --git a/imap/pop3login.c b/imap/pop3login.c index e6ee33f..d541254 100644 --- a/imap/pop3login.c +++ b/imap/pop3login.c @@ -75,6 +75,7 @@ static int starttls() printf("+OK Begin SSL/TLS negotiation now.\r\n"); fflush(stdout); fflush(stdin); + cinfo.username=MAILUSER; if (couriertls_start(argvec, &cinfo)) { |