From 9c5aae0eb425535621dde79717c2ce4f495a23bb Mon Sep 17 00:00:00 2001
From: Yoshinari Takaoka
Date: Thu, 11 Oct 2018 02:27:04 +0900
Subject: added comment TLS_PRIVATE_KEYFILE does not support Pass-Phrase

---
 imap/imapd-ssl.dist.in.git | 3 ++-
 imap/pop3d-ssl.dist.in.git | 3 ++-
 tcpd/couriertls.sgml       | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git
index 5204818..17f8366 100644
--- a/imap/imapd-ssl.dist.in.git
+++ b/imap/imapd-ssl.dist.in.git
@@ -233,7 +233,8 @@ TLS_CERTFILE=@certsdir@/imapd.pem
 #
 # TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data.
 # This file must be owned by the "@mailuser@" user, and must not be world
-# readable.
+# readable, and must be accessible without a pass-phrase, i.e. it must not
+# be encrypted.
 #
 # By default, courier generates SSL/TLS certifice including private key
 # and install it in TLS_CERTFILE path, so TLS_PRIVATE_KEYFILE is completely
diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git
index 9611524..6b5b352 100644
--- a/imap/pop3d-ssl.dist.in.git
+++ b/imap/pop3d-ssl.dist.in.git
@@ -227,7 +227,8 @@ TLS_CERTFILE=@certsdir@/pop3d.pem
 #
 # TLS_PRIVATE_KEYFILE - SSL/TLS private key for decrypting peer data.
 # This file must be owned by the "@mailuser@" user, and must not be world
-# readable.
+# readable, and must be accessible without a pass-phrase, i.e. it must not
+# be encrypted.
 #
 # By default, courier generates SSL/TLS certifice including private key
 # and install it in TLS_CERTFILE path, so TLS_PRIVATE_KEYFILE is completely
diff --git a/tcpd/couriertls.sgml b/tcpd/couriertls.sgml
index 0711654..c7971cc 100644
--- a/tcpd/couriertls.sgml
+++ b/tcpd/couriertls.sgml
@@ -241,7 +241,7 @@ for SSL/TLS clients.
 	  <para>
 SSL/TLS private key for decrypting client data.
 <envar>TLS_PRIVATE_KEY</envar> is optional because <term>TLS_CERTFILE</term> is generated including cert and private key both.
-<replaceable>filename</replaceable> must not be world-readable.</para>
+<replaceable>filename</replaceable> must not be world-readable, and must be accessible without a pass-phrase, i.e. it must not be encrypted.</para>
 	</listitem>
       </varlistentry>
 
-- 
cgit v1.2.3