Subject: Re: courier-imap: IMAPS packet backups
To: None <netbsd-users@netbsd.org>
From: None <dick@uchicago.edu>
List: netbsd-users
Date: 04/12/2006 08:34:33
---- Original message ----
>Date: Wed, 12 Apr 2006 05:42:59 -0700
>From: Ben Collver <collver@peak.org>
>Subject: Re: courier-imap: IMAPS packet backups
>To: dick@uchicago.edu
>Cc: netbsd-users@NetBSD.org
>
>I use courier-imap on netbsd-3.0 with mailboxes that have 50,000
>messages. Your log shows courier imap closing the connection because it
>cannot find shared/index. I don't have these error messages, and I
>don't have a shared/index.
>
>Would you post your .muttrc, imapd, imapd-ssl, and imapd.cnf?
>
>Ben
>
for sure. this is long as hell, so i hope the list filter doesn't drop it. here
they are:
.muttrc:
bind index G imap-fetch-mail
bind pager G imap-fetch-mail
set imap_user="jy-p@mysite.com"
set imap_pass="secret"
set folder=imaps://mail.mysite.com/
set spoolfile=+INBOX
set from="jy-p@mysite.com"
set realname="Jacob Yocom-Piatt"
set signature=~/.signature
set include=yes
set sendmail="/usr/local/bin/msmtp"
set use_from=yes
set envelope_from=yes
set move=no
set copy=yes
set save_name=no
set record=+INBOX.Sent
set postponed=+INBOX.Drafts
set mail_check=10
set timeout=60
set beep=no
set delete=yes
set allow_ansi=yes
set mark_old=no
set menu_scroll=yes
set pager_index_lines=5
set pager_stop=yes
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output
- %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0
--armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0
--armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output
- --encrypt --textmode --armor --always-trust --encrypt-to 0xC9C40C31 -- -r %r
-- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet
--no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor
--always-trust --encrypt-to 0x0FD32596 -- -r
%r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons
--list-secret-keys %r"
set pgp_autosign=yes
set pgp_verify_sig=yes
set pgp_sign_as=0x0FD32596
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"
# -*-muttrc-*-
## The following options are only available if you have
## compiled in S/MIME support
# If you compiled mutt with support for both PGP and S/MIME, PGP
# will be the default method unless the following option is set
#set smime_is_default
# Uncoment this if you don't want to set labels for certificates you add.
# unset smime_ask_cert_label
# Passphrase expiration
set smime_timeout=300
# Global crypto options -- these affect PGP operations as well.
set crypt_autosign = yes
set crypt_replyencrypt = yes
set crypt_replysign = yes
set crypt_replysignencrypted = yes
set crypt_verify_sig = yes
# Section A: Key Management.
# The (default) keyfile for signing/decrypting. Uncomment the following
# line and replace the keyid with your own.
set smime_default_key="e66b9564.0"
# Uncommen to make mutt ask what key to use when trying to decrypt a message.
# It will use the default key above (if that was set) else.
# unset smime_decrypt_use_default_key
# Path to a file or directory with trusted certificates
set smime_ca_location="~/.smime/ca-bundle.crt"
# Path to where all known certificates go. (must exist!)
set smime_certificates="~/.smime/certificates"
# Path to where all private keys go. (must exist!)
set smime_keys="~/.smime/keys"
# These are used to extract a certificate from a message.
# First generate a PKCS#7 structure from the message.
set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out"
# Extract the included certificate(s) from a PKCS#7 structure.
set smime_get_cert_command="openssl pkcs7 -print_certs -in %f"
# Extract the signer's certificate only from a S/MIME signature (sender
verification)
set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify
-signer %c -out /dev/null"
# This is used to get the email address the certificate was issued to.
set smime_get_cert_email_command="openssl x509 -in %f -noout -email"
# Add a certificate to the database using smime_keys.
set smime_import_cert_command="smime_keys add_cert %f"
# Sction B: Outgoing messages
# Algorithm to use for encryption.
# valid choices are rc2-40, rc2-64, rc2-128, des, des3
set smime_encrypt_with="des3"
# Encrypt a message. Input file is a MIME entity.
set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c"
# Sign.
set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin
-in %f -certfile %i -outform DER"
#Section C: Incoming messages
# Decrypt a message. Output is a MIME entity.
set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in
%f -inkey %k -recip %c"
# Verify a signature of type multipart/signed
set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f"
# Verify a signature of type application/x-pkcs7-mime
set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s %C"
# Section D: Alternatives
# Sign. If you wish to NOT include the certificate your CA used in signing
# your public key, use this command instead.
# set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin
-in %f -outform DER"
#
# In order to verify the signature only and skip checking the certificate chain:
#
# set smime_verify_command="openssl smime -verify -inform DER -in %s -content %f
-noverify"
# set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s
-noverify"
#
imapd:
##VERSION: $Id: imapd.dist.in,v 1.37 2005/07/05 12:31:27 mrsam Exp $
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 1998 - 2005 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
# when used with the couriertcpd server.
# A lot of the stuff here is documented in the manual page for couriertcpd.
#
# NOTE - do not use \ to split long variable contents on multiple lines.
# This will break the default imapd.rc script, which parses this file.
#
##NAME: ADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# ADDRESS=127.0.0.1
ADDRESS=0
##NAME: PORT:1
#
# Port numbers that connections are accepted on. The default is 143,
# the standard IMAP port.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possible to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The previous ADDRESS setting is a default for ports that do not have
# a specified IP address.
PORT=143
##NAME: AUTHSERVICE:0
#
# It's possible to authenticate using a different 'service' parameter
# depending on the connection's port. This only works with authentication
# modules that use the 'service' parameter, such as PAM. Example:
#
# AUTHSERVICE143=imap
# AUTHSERVICE993=imaps
##NAME: MAXDAEMONS:0
#
# Maximum number of IMAP servers started
#
MAXDAEMONS=40
##NAME: MAXPERIP:0
#
# Maximum number of connections to accept from the same IP address
MAXPERIP=10
##NAME: PIDFILE:0
#
# File where couriertcpd will save its process ID
#
PIDFILE=/var/run/imapd.pid
##NAME: TCPDOPTS:0
#
# Miscellaneous couriertcpd options that shouldn't be changed.
#
TCPDOPTS="-nodnslookup -noidentlookup"
##NAME: LOGGEROPTS:0
#
# courierlogger(1) options.
#
LOGGEROPTS="-name=imapd"
##NAME: DEFDOMAIN:0
#
# Optional default domain. If the username does not contain the
# first character of DEFDOMAIN, then it is appended to the username.
# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
# only if the username does not contain any character from DOMAINSEP.
# You can set different default domains based on the the interface IP
# address using the -access and -accesslocal options of couriertcpd(1).
#DEFDOMAIN="@example.com"
##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or
# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA AUTH=
CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
#
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA IDLE"
##NAME: KEYWORDS_CAPABILITY:0
#
# IMAP_KEYWORDS=1 enables custom IMAP keywords. Set this option to 0 to
# disable custom keywords.
IMAP_KEYWORDS=1
##NAME: SMAP1_CAPABILITY:0
#
# EXPERIMENTAL
#
# To enable the experimental "Simple Mail Access Protocol" extensions,
# uncomment the following setting.
#
# SMAP_CAPABILITY=SMAP1
##NAME: IMAP_CAPABILITY_ORIG:2
#
# For use by webadmin
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA AU
TH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
##NAME: IMAP_PROXY:0
#
# Enable proxying. See README.proxy
IMAP_PROXY=0
##NAME: PROXY_HOSTNAME:0
#
# Override value from gethostname() when checking if a proxy connection is
# required.
#
# PROXY_HOSTNAME=
##NAME: IMAP_PROXY_FOREIGN:0
#
# Proxying to non-Courier servers. Re-sends the CAPABILITY command after
# logging in to the remote server. May not work with all IMAP clients.
IMAP_PROXY_FOREIGN=0
##NAME: IMAP_IDLE_TIMEOUT:0
#
# This setting controls how often
# the server polls for changes to the folder, in IDLE mode (in seconds).
IMAP_IDLE_TIMEOUT=60
##NAME: IMAP_CAPABILITY_TLS:0
#
# The following setting will advertise SASL PLAIN authentication after
# STARTTLS is established. If you want to allow SASL PLAIN authentication
# with or without TLS then just comment this out, and add AUTH=PLAIN to
# IMAP_CAPABILITY
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
##NAME: IMAP_TLS_ORIG:0
#
# For use by webadmin
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
##NAME: IMAP_DISABLETHREADSORT:0
#
# Set IMAP_DISABLETHREADSORT to disable the THREAD and SORT commands -
# server side sorting and threading.
#
# Those capabilities will still be advertised, but the server will reject
# them. Set this option if you want to disable all the extra load from
# server-side threading and sorting. Not advertising those capabilities
# will simply result in the clients reading the entire folder, and sorting
# it on the client side. That will still put some load on the server.
# advertising these capabilities, but rejecting the commands, will stop this
# silliness.
#
IMAP_DISABLETHREADSORT=0
##NAME: IMAP_CHECK_ALL_FOLDERS:0
#
# Set IMAP_CHECK_ALL_FOLDERS to 1 if you want the server to check for new
# mail in every folder. Not all IMAP clients use the IMAP's new mail
# indicator, but some do. Normally new mail is checked only in INBOX,
# because it is a comparatively time consuming operation, and it would be
# a complete waste of time unless mail filters are used to deliver
# mail directly to folders.
#
# When IMAP clients are used which support new mail indication, and when
# mail filters are used to sort incoming mail into folders, setting
# IMAP_CHECK_ALL_FOLDERS to 1 will allow IMAP clients to announce new
# mail in folders. Note that this will result in slightly more load on the
# server.
#
IMAP_CHECK_ALL_FOLDERS=0
##NAME: IMAP_OBSOLETE_CLIENT:0
#
# Set IMAP_OBSOLETE_CLIENT if your IMAP client expects \\NoInferiors to mean
# what \\HasNoChildren really means.
IMAP_OBSOLETE_CLIENT=0
##NAME: IMAP_UMASK:0
#
# IMAP_UMASK sets the umask of the server process. The value of IMAP_UMASK is
# simply passed to the "umask" command. The default value is 022.
#
# This feature is mostly useful for shared folders, where the file permissions
# of the messages may be important.
IMAP_UMASK=022
##NAME: IMAP_ULIMITD:0
#
# IMAP_ULIMITD sets the maximum size of the data segment of the server
# process. The value of IMAP_ULIMITD is simply passed to the "ulimit -d"
# command (or ulimit -v). The argument to ulimi sets the upper limit on the
# size of the data segment of the server process, in kilobytes. The default
# value of 65536 sets a very generous limit of 64 megabytes, which should
# be more than plenty for anyone.
#
# This feature is used as an additional safety check that should stop
# any potential denial-of-service attacks that exploit any kind of
# a memory leak to exhaust all the available memory on the server.
# It is theoretically possible that obscenely huge folders will also
# result in the server running out of memory when doing server-side
# sorting (by my calculations you have to have at least 100,000 messages
# in a single folder, for that to happen).
IMAP_ULIMITD=65536
##NAME: IMAP_USELOCKS:0
#
# Setting IMAP_USELOCKS to 1 will use dot-locking to support concurrent
# multiple access to the same folder. This incurs slight additional
# overhead. Concurrent multiple access will still work without this setting,
# however occasionally a minor race condition may result in an IMAP client
# downloading the same message twice, or a keyword update will fail.
#
# IMAP_USELOCKS=1 is strongly recommended when shared folders are used.
IMAP_USELOCKS=1
##NAME: IMAP_SHAREDINDEXFILE:0
#
# The index of all accessible folders. Do not change this setting unless
# you know what you're doing. See README.sharedfolders for additional
# information.
IMAP_SHAREDINDEXFILE=/usr/pkg/etc/courier/shared/index
##NAME: IMAP_ENHANCEDIDLE:0
#
# If Courier was compiled with the File Alteration Monitor, setting
# IMAP_ENHANCEDIDLE to 1 enables enhanced IDLE mode, where multiple
# clients may open the same folder concurrently, and receive updates to
# folder contents in realtime. See the imapd(8) man page for additional
# information.
#
# IMPORTANT: IMAP_USELOCKS *MUST* also be set to 1, and IDLE must be included
# in the IMAP_CAPABILITY list.
#
IMAP_ENHANCEDIDLE=0
##NAME: IMAP_TRASHFOLDERNAME:0
#
# The name of the magic trash Folder. For MSOE compatibility,
# you can set IMAP_TRASHFOLDERNAME="Deleted Items".
#
# IMPORTANT: If you change this, you must also change IMAP_EMPTYTRASH
IMAP_TRASHFOLDERNAME=Trash
##NAME: IMAP_EMPTYTRASH:0
#
# The following setting is optional, and causes messages from the given
# folder to be automatically deleted after the given number of days.
# IMAP_EMPTYTRASH is a comma-separated list of folder:days. The default
# setting, below, purges 7 day old messages from the Trash folder.
# Another useful setting would be:
#
# IMAP_EMPTYTRASH=Trash:7,Sent:30
#
# This would also delete messages from the Sent folder (presumably copies
# of sent mail) after 30 days. This is a global setting that is applied to
# every mail account, and is probably useful in a controlled, corporate
# environment.
#
# Important: the purging is controlled by CTIME, not MTIME (the file time
# as shown by ls). It is perfectly ordinary to see stuff in Trash that's
# a year old. That's the file modification time, MTIME, that's displayed.
# This is generally when the message was originally delivered to this
# mailbox. Purging is controlled by a different timestamp, CTIME, which is
# changed when the file is moved to the Trash folder (and at other times too).
#
# You might want to disable this setting in certain situations - it results
# in a stat() of every file in each folder, at login and logout.
#
IMAP_EMPTYTRASH=Trash:7
##NAME: IMAP_MOVE_EXPUNGE_TO_TRASH:0
#
# Set IMAP_MOVE_EXPUNGE_TO_TRASH to move expunged messages to Trash. This
# effectively allows an undo of message deletion by fishing the deleted
# mail from trash. Trash can be manually expunged as usually, and mail
# will get automatically expunged from Trash according to IMAP_EMPTYTRASH.
#
# NOTE: shared folders are still expunged as usual. Shared folders are
# not affected.
#
IMAP_MOVE_EXPUNGE_TO_TRASH=0
##NAME: OUTBOX:0
#
# The next set of options deal with the "Outbox" enhancement.
# Uncomment the following setting to create a special folder, named
# INBOX.Outbox
#
# OUTBOX=.Outbox
##NAME: SENDMAIL:0
#
# If OUTBOX is defined, mail can be sent via the IMAP connection by copying
# a message to the INBOX.Outbox folder. For all practical matters,
# INBOX.Outbox looks and behaves just like any other IMAP folder. If this
# folder doesn't exist it must be created by the IMAP mail client, just
# like any other IMAP folder. The kicker: any message copied or moved to
# this folder is will be E-mailed by the Courier-IMAP server, by running
# the SENDMAIL program. Therefore, messages copied or moved to this
# folder must be well-formed RFC-2822 messages, with the recipient list
# specified in the To:, Cc:, and Bcc: headers. Courier-IMAP relies on
# SENDMAIL to read the recipient list from these headers (and delete the Bcc:
# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the
# message piped on standard input. $SENDER will be the return address
# of the message, which is set by the authentication module.
#
# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.
#
SENDMAIL=/usr/sbin/sendmail
##NAME: HEADERFROM:0
#
# For administrative and oversight purposes, the return address, $SENDER
# will also be saved in the X-IMAP-Sender mail header. This header gets
# added to the sent E-mail (but it doesn't get saved in the copy of the
# message that's saved in the folder)
#
# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive
# the magic OUTBOX treatment. Therefore advance LARTing is in order for
# _all_ of your lusers, until every one of them is aware of this. Otherwise if
# OUTBOX is left at its default setting - a folder name that might be used
# accidentally - some people may be in for a rude surprise. You can redefine
# the name of the magic folder by changing OUTBOX, above. You should do that
# and pick a less-obvious name. Perhaps brand it with your organizational
# name ( OUTBOX=.WidgetsAndSonsOutbox )
HEADERFROM=X-IMAP-Sender
##NAME: OUTBOX_MULTIPLE_SEND:0
#
# Remove the following comment to allow a COPY of more than one message to
# the Outbox, at a time.
#
# OUTBOX_MULTIPLE_SEND=1
##NAME: IMAPDSTART:0
#
# IMAPDSTART is not used directly. Rather, this is a convenient flag to
# be read by your system startup script in /etc/rc.d, like this:
#
# . /usr/pkg/etc/courier/imapd
#
# case x$IMAPDSTART in
# x[yY]*)
# /usr/pkg/libexec/courier/imapd.rc start
# ;;
# esac
#
# The default setting is going to be NO, so you'll have to manually flip
# it to yes.
IMAPDSTART=YES
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
# addtional stuff
MAILDIR=Maildir
imapd-ssl:
##VERSION: $Id: imapd-ssl.dist.in,v 1.12 2005/07/02 01:13:57 mrsam Exp $
#
# imapd-ssl created from imapd-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 2000 - 2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
# when used to handle SSL IMAP connections.
#
# SSL and non-SSL connections are handled by a dedicated instance of the
# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP
# connections, you will start two instances of couriertcpd, one on the
# IMAP port 143, and another one on the IMAP-SSL port 993.
#
# Download OpenSSL from http://www.openssl.org/
#
##NAME: SSLPORT:1
#
# Options in the imapd-ssl configuration file AUGMENT the options in the
# imapd configuration file. First the imapd configuration file is read,
# then the imapd-ssl configuration file, so we do not have to redefine
# anything.
#
# However, some things do have to be redefined. The port number is
# specified by SSLPORT, instead of PORT. The default port is port 993.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
SSLPORT=993
##NAME: SSLADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# SSLADDRESS=127.0.0.1
SSLADDRESS=0
##NAME: SSLPIDFILE:0
#
# That's the SSL IMAP port we'll listen on.
# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP.
SSLPIDFILE=/var/run/imapd-ssl.pid
##NAME: SSLLOGGEROPTS:0
#
# courierlogger(1) options.
#
SSLLOGGEROPTS="-name=imapd-ssl"
##NAME: IMAPDSSLSTART:0
#
# Different pid files, so that both instances of couriertcpd can coexist
# happily.
#
# You can also redefine IMAP_CAPABILITY, although I can't
# think of why you'd want to do that.
#
#
# Ok, the following settings are new to imapd-ssl:
#
# Whether or not to start IMAP over SSL on simap port:
IMAPDSSLSTART=YES
##NAME: IMAPDSTARTTLS:0
#
# Whether or not to implement IMAP STARTTLS extension instead:
IMAPDSTARTTLS=YES
##NAME: IMAP_TLS_REQUIRED:1
#
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
# is issued).
IMAP_TLS_REQUIRED=0
#########################################################################
#
# The following variables configure IMAP over SSL. If OpenSSL is available
# during configuration, the couriertls helper gets compiled, and upon
# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
# and COURIERTLS exist.
#
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to be
# working. Keep this in mind as you play with the following variables.
#
##NAME: COURIERTLS:0
#
COURIERTLS=/usr/pkg/bin/couriertls
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1
TLS_PROTOCOL=SSL3
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
TLS_STARTTLS_PROTOCOL=TLS1
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#
##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used. In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/etc/openssl/certs/imapd.pem
##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
#
# TLS_TRUSTCERTS=
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
#
TLS_VERIFYPEER=NONE
##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for IMAP clients
# that open multiple SSL sessions to the server. TLS_CACHEFILE will be
# automatically created, TLS_CACHESIZE bytes long, and used as a cache
# buffer.
#
# This is an experimental feature and should be disabled if it causes
# problems with SSL clients. Disable SSL caching by commenting out the
# following settings:
TLS_CACHEFILE=/var/couriersslcache
TLS_CACHESIZE=524288
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
imapd.cnf:
RANDFILE = /usr/pkg/etc/courier/imapd.rand
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=US
ST=IL
L=Chicago
O=Widgets Inc.
OU=IMAP SSL key
CN=mail.mysite.com
emailAddress=root@mysite.com
[ cert_type ]
nsCertType = server
hope this is fruitful :). i'll take a look through these files myself and see if
i notice anything amiss. i'm used to running my mailserver on openbsd, but due
to the lack of nice disk encryption (read cgd) i've converted it to netbsd. i
never had this problem before.
i tried commenting out the line about the shared index in imapd and the problem
persists.
best regards,
jake
>On Tue, Apr 11, 2006 at 11:21:14PM -0500, dick@uchicago.edu wrote:
>> i'm running netbsd-3.0 with the following setup:
>> - courier-imap-4.0.6 binary package
>>
>> - from /var/log/maillog on IMAPS server:
>> ...
>> Apr 11 23:10:37 mail imapd-ssl: LOGIN, user=jy-p@mysite.com,
>> ip=[::ffff:10.9.1.2], protocol=IMAP
>> Apr 11 23:10:40 mail imapd-ssl: /usr/pkg/etc/courier/shared/index: No such file
>> or directory
>> Apr 11 23:11:49 mail imapd-ssl: DISCONNECTED, user=jy-p@mysite.com,
>> ip=[::ffff:10.9.1.2], headers=56771, body=0, time=72, starttls=1