| [vhffs-dev] [1649] new configuration examples based on Debian Squeeze dist config files |
[ Thread Index |
Date Index
| More vhffs.org/vhffs-dev Archives
]
Revision: 1649
Author: gradator
Date: 2011-04-16 17:31:00 +0200 (Sat, 16 Apr 2011)
Log Message:
-----------
new configuration examples based on Debian Squeeze dist config files
Modified Paths:
--------------
trunk/vhffs-doc/config/courier/authdaemonrc
trunk/vhffs-doc/config/courier/authpgsqlrc
trunk/vhffs-doc/config/courier/imapd
trunk/vhffs-doc/config/courier/imapd-ssl
trunk/vhffs-doc/config/courier/pop3d
trunk/vhffs-doc/config/courier/pop3d-ssl
trunk/vhffs-doc/config/exim4-mx1/exim4.conf
trunk/vhffs-doc/config/exim4-mx2/exim4.conf
Removed Paths:
-------------
trunk/vhffs-doc/config/courier/authmodulelist
Modified: trunk/vhffs-doc/config/courier/authdaemonrc
===================================================================
--- trunk/vhffs-doc/config/courier/authdaemonrc 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/authdaemonrc 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,6 +1,6 @@
-##VERSION: $Id: authdaemonrc.in,v 1.8 2001/10/07 02:16:22 mrsam Exp $
+##VERSION: $Id: authdaemonrc.in,v 1.13 2005/10/05 00:07:32 mrsam Exp $
#
-# Copyright 2000-2001 Double Precision, Inc. See COPYING for
+# Copyright 2000-2005 Double Precision, Inc. See COPYING for
# distribution information.
#
# authdaemonrc created from authdaemonrc.dist by sysconftool
@@ -17,21 +17,21 @@
# fit on one line. Do not use any additional whitespace for indentation,
# or anything else.
-##NAME: authmodulelist:0
+##NAME: authmodulelist:2
#
# The authentication modules that are linked into authdaemond. The
# default list is installed. You may selectively disable modules simply
# by removing them from the following list. The available modules you
-# can use are: authcustom authcram authuserdb authldap authpgsql authmysql authpam
+# can use are: authuserdb authpam authpgsql authldap authmysql authcustom authpipe
authmodulelist="authpgsql"
-##NAME: authmodulelistorig:1
+##NAME: authmodulelistorig:3
#
# This setting is used by Courier's webadmin module, and should be left
# alone
-authmodulelistorig="authcustom authcram authuserdb authldap authpgsql authmysql authpam"
+authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
##NAME: daemons:0
#
@@ -52,17 +52,52 @@
daemons=5
-##NAME: version:0
+##NAME: authdaemonvar:2
#
-# When you have multiple versions of authdaemond.* installed, authdaemond
-# just picks the first one it finds. Set "version" to override that.
-# For example: version=authdaemond.plain
+# authdaemonvar is here, but is not used directly by authdaemond. It's
+# used by various configuration and build scripts, so don't touch it!
-version=""
+authdaemonvar=/var/run/courier/authdaemon
-##NAME: authdaemonvar:0
+##NAME: DEBUG_LOGIN:0
#
-# authdaemonvar is here, but is not used directly by authdaemond. It's
-# used by various configuration and build scripts, so don't touch it!
+# Dump additional diagnostics to syslog
+#
+# DEBUG_LOGIN=0 - turn off debugging
+# DEBUG_LOGIN=1 - turn on debugging
+# DEBUG_LOGIN=2 - turn on debugging + log passwords too
+#
+# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
+#
+# Note that most information is sent to syslog at level 'debug', so
+# you may need to modify your /etc/syslog.conf to be able to see it.
-authdaemonvar=/var/run/courier/authdaemon
+DEBUG_LOGIN=0
+
+##NAME: DEFAULTOPTIONS:0
+#
+# A comma-separated list of option=value pairs. Each option is applied
+# to an account if the account does not have its own specific value for
+# that option. So for example, you can set
+# DEFAULTOPTIONS="disablewebmail=1,disableimap=1"
+# and then enable webmail and/or imap on individual accounts by setting
+# disablewebmail=0 and/or disableimap=0 on the account.
+
+DEFAULTOPTIONS=""
+
+##NAME: LOGGEROPTS:0
+#
+# courierlogger(1) options, e.g. to set syslog facility
+#
+
+LOGGEROPTS=""
+
+##NAME: LDAP_TLS_OPTIONS:0
+#
+# Options documented in ldap.conf(5) can be set here, prefixed with 'LDAP'.
+# Examples:
+#
+#LDAPTLS_CACERT=/path/to/cacert.pem
+#LDAPTLS_REQCERT=demand
+#LDAPTLS_CERT=/path/to/clientcert.pem
+#LDAPTLS_KEY=/path/to/clientkey.pem
Deleted: trunk/vhffs-doc/config/courier/authmodulelist
===================================================================
--- trunk/vhffs-doc/config/courier/authmodulelist 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/authmodulelist 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1 +0,0 @@
-authdaemon
Modified: trunk/vhffs-doc/config/courier/authpgsqlrc
===================================================================
--- trunk/vhffs-doc/config/courier/authpgsqlrc 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/authpgsqlrc 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,3 +1,4 @@
+##VERSION: $Id: authpgsqlrc,v 1.13 2008/12/18 12:08:25 mrsam Exp $
#
# Copyright 2000-2004 Double Precision, Inc. See COPYING for
# distribution information.
@@ -41,17 +42,24 @@
##NAME: PGSQL_DATABASE:0
#
-# The name of the MySQL database we will open:
+# The name of the PostgreSQL database we will open:
PGSQL_DATABASE vhffs
+##NAME: PGSQL_CHARACTER_SET:0
+#
+# Optionally install a character set mapping. Restart authdaemond, send a test
+# query using authtest and check for error messages in syslog/maillog.
+#
+# PGSQL_CHARACTER_SET UTF8
+
##NAME: PGSQL_USER_TABLE:0
#
# The name of the table containing your user data. See README.authmysqlrc
# for the required fields in this table (both MySQL and Postgress use the
# same suggested layout.
-PGSQL_USER_TABLE vhffs_boxes
+PGSQL_USER_TABLE passwd
##NAME: PGSQL_CRYPT_PWFIELD:0
#
@@ -59,12 +67,13 @@
# are OK too. crypted passwords go into PGSQL_CRYPT_PWFIELD, cleartext
# passwords go into PGSQL_CLEAR_PWFIELD. Cleartext passwords allow
# CRAM-MD5 authentication to be implemented.
-PGSQL_CRYPT_PWFIELD password
+PGSQL_CRYPT_PWFIELD crypt
+
##NAME: PGSQL_CLEAR_PWFIELD:0
#
#
-#PGSQL_CLEAR_PWFIELD password
+# PGSQL_CLEAR_PWFIELD clear
##NAME: PGSQL_DEFAULT_DOMAIN:0
#
@@ -74,22 +83,20 @@
#
DEFAULT_DOMAIN vhffs.org
-PGSQL_DOMAIN_FIELD domain
##NAME: PGSQL_UID_FIELD:0
#
# Other fields in the mysql table:
#
# PGSQL_UID_FIELD - contains the numerical userid of the account
#
-#UID_FILED 102
-#GID_FILED 104
-PGSQL_UID_FIELD 102 as uid
+PGSQL_UID_FIELD uid
##NAME: PGSQL_GID_FIELD:0
#
# Numerical groupid of the account
-PGSQL_GID_FIELD 104 as gid
+PGSQL_GID_FIELD gid
+
##NAME: PGSQL_LOGIN_FIELD:0
#
# The login id, default is id. Basically the query is:
@@ -97,19 +104,18 @@
# SELECT PGSQL_UID_FIELD, PGSQL_GID_FIELD, ... WHERE id='loginid'
#
-PGSQL_LOGIN_FIELD local_part
-PGSQL_USER_FIELD local_part
+PGSQL_LOGIN_FIELD id
##NAME: PGSQL_HOME_FIELD:0
#
-PGSQL_HOME_FIELD mbox_name
-HOME_PREFIX /data/mail/boxes
+PGSQL_HOME_FIELD home
+
##NAME: PGSQL_NAME_FIELD:0
#
# The user's name (optional)
-#PGSQL_NAME_FIELD name
+PGSQL_NAME_FIELD name
##NAME: PGSQL_MAILDIR_FIELD:0
#
@@ -193,21 +199,41 @@
# This example is a little bit modified adaptation of vmail-sql
# database scheme:
#
+# PGSQL_SELECT_CLAUSE SELECT popbox.local_part, \
+# '{MD5}' || popbox.password_hash, \
+# popbox.clearpw, \
+# domain.uid, \
+# domain.gid, \
+# domain.path || '/' || popbox.mbox_name), \
+# '', \
+# domain.quota, \
+# '', \
+# FROM popbox, domain \
+# WHERE popbox.local_part = '$(local_part)' \
+# AND popbox.domain_name = '$(domain)' \
+# AND popbox.domain_name = domain.domain_name
-PGSQL_SELECT_CLAUSE SELECT local_part||'@'||domain , password, '', 102 as uid, 104 as gid, '/data/mail/boxes/'||domain_hash||'/', mbox_name || '/Maildir', '', '', '' FROM vhffs_boxes WHERE local_part = '$(local_part)' AND domain='$(domain)' AND ( ( '$(service)' LIKE 'pop%' AND allowpop=true ) OR ( '$(service)' LIKE 'imap%' AND allowimap=true ) ) AND state=6
+PGSQL_SELECT_CLAUSE SELECT local_part||'@'||domain, password, '', 101 as uid, 103 as gid, '/data/mail/boxes/'||domain_hash||'/', mbox_name||'/Maildir', '', '', '' FROM vhffs_boxes WHERE local_part = '$(local_part)' AND domain='$(domain)' AND ( ( '$(service)' LIKE 'pop%' AND allowpop=true ) OR ( '$(service)' LIKE 'imap%' AND allowimap=true ) ) AND state=6
-
-##NAME: PGSQL_ENUMERATE_CLAUSE:0
+##NAME: PGSQL_ENUMERATE_CLAUSE:1
#
# {EXPERIMENTAL}
# Optional custom SQL query used to enumerate accounts for authenumerate,
# in order to compile a list of accounts for shared folders. The query
-# should return the following fields: name, uid, gid, homedir, maildir
+# should return the following fields: name, uid, gid, homedir, maildir, options
#
# Example:
-PGSQL_ENUMERATE_CLAUSE SELECT local_part, 102 as uid, 104 as gid, domain_hash|| '/'|| mbox_name), '' FROM vhffs_boxes WHERE local_part = '$(local_part)' AND domain = '$(domain)'
+# PGSQL_ENUMERATE_CLAUSE SELECT popbox.local_part || '@' || popbox.domain_name, \
+# domain.uid, \
+# domain.gid, \
+# domain.path || '/' || popbox.mbox_name, \
+# '', \
+# 'sharedgroup=' || sharedgroup \
+# FROM popbox, domain \
+# WHERE popbox.local_part = '$(local_part)' \
+# AND popbox.domain_name = '$(domain)' \
+# AND popbox.domain_name = domain.domain_name
-
##NAME: PGSQL_CHPASS_CLAUSE:0
#
# (EXPERIMENTAL)
@@ -226,7 +252,11 @@
# $(newpass) contains plain password
# $(newpass_crypt) contains its crypted form
#
-PGSQL_CHPASS_CLAUSE UPDATE vhffs_boxes \
- SET password='$(newpass_crypt)' \
- WHERE local_part='$(local_part)' \
- AND domain_name='$(domain)'
+# PGSQL_CHPASS_CLAUSE UPDATE popbox \
+# SET clearpw='$(newpass)', \
+# password_hash='$(newpass_crypt)' \
+# WHERE local_part='$(local_part)' \
+# AND domain_name='$(domain)'
+#
+
+PGSQL_CHPASS_CLAUSE UPDATE vhffs_boxes SET password='$(newpass_crypt)' WHERE local_part='$(local_part)' AND domain_name='$(domain)'
Modified: trunk/vhffs-doc/config/courier/imapd
===================================================================
--- trunk/vhffs-doc/config/courier/imapd 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/imapd 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,11 +1,11 @@
-##VERSION: $Id: imapd.dist.in,v 1.29 2004/04/18 15:54:39 mrsam Exp $
+##VERSION: $Id: imapd.dist.in,v 1.41 2008/06/21 16:01:23 mrsam Exp $
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
-# Copyright 1998 - 2004 Double Precision, Inc. See COPYING for
+# Copyright 1998 - 2008 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
@@ -73,58 +73,56 @@
TCPDOPTS="-nodnslookup -noidentlookup"
-##NAME: AUTHMODULES:0
+##NAME: LOGGEROPTS:0
#
-# Authentication modules. Here's the default list:
+# courierlogger(1) options.
#
-# authdaemon
-#
-# The default is set during the initial configuration.
-#
-# If this is currently set to AUTHMODULES="authdaemon", DO NOT CHANGE IT.
-# Instead, change the parameter authmodulelist in authdaemonrc.
-AUTHMODULES="authdaemon"
+LOGGEROPTS="-name=imapd"
-##NAME: AUTHMODULES_ORIG:0
+##NAME: DEFDOMAIN:0
#
-# For use by webadmin
+# Optional default domain. If the username does not contain the
+# first character of DEFDOMAIN, then it is appended to the username.
+# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
+# only if the username does not contain any character from DOMAINSEP.
+# You can set different default domains based on the the interface IP
+# address using the -access and -accesslocal options of couriertcpd(1).
-AUTHMODULES_ORIG="authdaemon"
+#DEFDOMAIN="@example.com"
-##NAME: DEBUG_LOGIN:0
-#
-# Dump additional login diagnostics to syslog
-#
-# DEBUG_LOGIN=0 - turn off login debugging
-# DEBUG_LOGIN=1 - turn on login debugging
-# DEBUG_LOGIN=2 - turn on login debugging + log passwords too
-#
-# Note that most information is sent to syslog at level 'debug', so
-# you may need to modify your /etc/syslog.conf to be able to see it.
-
-DEBUG_LOGIN=1
-
##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
-# If you have properly configured Courier to use CRAM-MD5 or CRAM-SHA1
-# authentication (see INSTALL), set IMAP_CAPABILITY as follows:
+# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or
+# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
-# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
+# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
#
-IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
+#IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
+IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT IDLE"
##NAME: KEYWORDS_CAPABILITY:0
#
# IMAP_KEYWORDS=1 enables custom IMAP keywords. Set this option to 0 to
# disable custom keywords.
+#
+# IMAP_KEYWORDS=2 also enables custom IMAP keywords, but uses a slower
+# algorithm. Use this setting if keyword-related problems occur when
+# multiple IMAP clients are updating keywords on the same message.
IMAP_KEYWORDS=1
+##NAME: ACL_CAPABILITY:0
+#
+# IMAP_ACL=1 enables IMAP ACL extension. Set this option to 0 to
+# disable ACL capabilities announce.
+
+IMAP_ACL=1
+
##NAME: SMAP1_CAPABILITY:0
#
# EXPERIMENTAL
@@ -134,12 +132,32 @@
#
# SMAP_CAPABILITY=SMAP1
-##NAME: IMAP_CAPABILITY_ORIG:1
+##NAME: IMAP_CAPABILITY_ORIG:2
#
# For use by webadmin
-IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
+IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
+##NAME: IMAP_PROXY:0
+#
+# Enable proxying. See README.proxy
+
+IMAP_PROXY=0
+
+##NAME: PROXY_HOSTNAME:0
+#
+# Override value from gethostname() when checking if a proxy connection is
+# required.
+#
+# PROXY_HOSTNAME=
+
+##NAME: IMAP_PROXY_FOREIGN:0
+#
+# Proxying to non-Courier servers. Re-sends the CAPABILITY command after
+# logging in to the remote server. May not work with all IMAP clients.
+
+IMAP_PROXY_FOREIGN=0
+
##NAME: IMAP_IDLE_TIMEOUT:0
#
# This setting controls how often
@@ -147,6 +165,13 @@
IMAP_IDLE_TIMEOUT=60
+##NAME: IMAP_MAILBOX_SANITY_CHECK:0
+#
+# Sanity check -- make sure home directory and maildir's ownership matches
+# the IMAP server's effective uid and gid
+
+IMAP_MAILBOX_SANITY_CHECK=1
+
##NAME: IMAP_CAPABILITY_TLS:0
#
# The following setting will advertise SASL PLAIN authentication after
@@ -203,6 +228,16 @@
IMAP_OBSOLETE_CLIENT=0
+##NAME: IMAP_UMASK:0
+#
+# IMAP_UMASK sets the umask of the server process. The value of IMAP_UMASK is
+# simply passed to the "umask" command. The default value is 022.
+#
+# This feature is mostly useful for shared folders, where the file permissions
+# of the messages may be important.
+
+IMAP_UMASK=022
+
##NAME: IMAP_ULIMITD:0
#
# IMAP_ULIMITD sets the maximum size of the data segment of the server
@@ -220,7 +255,7 @@
# sorting (by my calculations you have to have at least 100,000 messages
# in a single folder, for that to happen).
-IMAP_ULIMITD=65536
+IMAP_ULIMITD=131072
##NAME: IMAP_USELOCKS:0
#
@@ -354,6 +389,13 @@
HEADERFROM=X-IMAP-Sender
+##NAME: OUTBOX_MULTIPLE_SEND:0
+#
+# Remove the following comment to allow a COPY of more than one message to
+# the Outbox, at a time.
+#
+# OUTBOX_MULTIPLE_SEND=1
+
##NAME: IMAPDSTART:0
#
# IMAPDSTART is not used directly. Rather, this is a convenient flag to
Modified: trunk/vhffs-doc/config/courier/imapd-ssl
===================================================================
--- trunk/vhffs-doc/config/courier/imapd-ssl 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/imapd-ssl 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,11 +1,11 @@
-##VERSION: $Id: imapd-ssl.dist.in,v 1.10 2004/06/14 00:56:07 mrsam Exp $
+##VERSION: $Id: imapd-ssl.dist.in,v 1.22 2009/08/12 22:25:49 mrsam Exp $
#
# imapd-ssl created from imapd-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
-# Copyright 2000 - 2002 Double Precision, Inc. See COPYING for
+# Copyright 2000 - 2008 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
@@ -30,8 +30,8 @@
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
-# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
-# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
+# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900"
+# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
@@ -52,12 +52,19 @@
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
+##NAME: SSLLOGGEROPTS:0
+#
+# courierlogger(1) options.
+#
+
+SSLLOGGEROPTS="-name=imapd-ssl"
+
##NAME: IMAPDSSLSTART:0
#
# Different pid files, so that both instances of couriertcpd can coexist
# happily.
#
-# You can also redefine AUTHMODULES and IMAP_CAPABILITY, although I can't
+# You can also redefine IMAP_CAPABILITY, although I can't
# think of why you'd want to do that.
#
#
@@ -84,11 +91,9 @@
#########################################################################
#
-# The following variables configure IMAP over SSL. If OpenSSL is available
-# during configuration, the couriertls helper gets compiled, and upon
-# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
-# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
-# and COURIERTLS exist.
+# The following variables configure IMAP over SSL. If OpenSSL or GnuTLS
+# is available during configuration, the couriertls helper gets compiled, and
+# upon installation a dummy TLS_CERTFILE gets generated.
#
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to be
@@ -103,28 +108,111 @@
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
+# OpenSSL:
+#
# SSL2 - SSLv2
# SSL3 - SSLv3
+# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
# TLS1 - TLS1
+#
+# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
+# setting, below.
+#
+# GnuTLS:
+#
+# SSL3 - SSLv3
+# TLS1 - TLS 1.0
+# TLS1_1 - TLS 1.1
+#
+# When compiled against GnuTLS, multiple protocols can be selected as follows:
+#
+# TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
+#
+# DEFAULT VALUES:
+#
+# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)
-TLS_PROTOCOL=SSL3
-
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
+# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
-TLS_STARTTLS_PROTOCOL=TLS1
-
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
-# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+# OpenSSL:
+#
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
+#
+# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
+#
+#
+# GnuTLS:
+#
+# TLS_CIPHER_LIST="HIGH:MEDIUM"
+#
+# The actual list of available ciphers depend on the options GnuTLS was
+# compiled against. The possible ciphers are:
+#
+# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
+#
+# Also, the following aliases:
+#
+# HIGH -- all ciphers that use more than a 128 bit key size
+# MEDIUM -- all ciphers that use a 128 bit key size
+# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
+# is not included
+# ALL -- all ciphers except the NULL cipher
+##NAME: TLS_MIN_DH_BITS:0
+#
+# TLS_MIN_DH_BITS=n
+#
+# GnuTLS only:
+#
+# Set the minimum number of acceptable bits for a DH key exchange.
+#
+# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
+# have been encountered that offer 512 bit keys. You may have to set
+# TLS_MIN_DH_BITS=512 here, if necessary.
+
+##NAME: TLS_KX_LIST:0
+#
+# GnuTLS only:
+#
+# Allowed key exchange protocols. The default of "ALL" should be sufficient.
+# The list of supported key exchange protocols depends on the options GnuTLS
+# was compiled against, but may include the following:
+#
+# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
+
+TLS_KX_LIST=ALL
+
+##NAME: TLS_COMPRESSION:0
+#
+# GnuTLS only:
+#
+# Optional compression. "ALL" selects all available compression methods.
+#
+# Available compression methods: DEFLATE, LZO, NULL
+
+TLS_COMPRESSION=ALL
+
+##NAME: TLS_CERTS:0
+#
+# GnuTLS only:
+#
+# Supported certificate types are X509 and OPENPGP.
+#
+# OPENPGP has not been tested
+
+TLS_CERTS=X509
+
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
@@ -132,7 +220,7 @@
##NAME: TLS_DHCERTFILE:0
#
-# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
+# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used. In most situations the
# DH pair is to be treated as confidential, and the file specified by
@@ -144,8 +232,34 @@
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
-# treated as confidential, and must not be world-readable.
+# treated as confidential, and must not be world-readable. Set TLS_CERTFILE
+# instead of TLS_DHCERTFILE if this is a garden-variety certificate
#
+# VIRTUAL HOSTS (servers only):
+#
+# Due to technical limitations in the original SSL/TLS protocol, a dedicated
+# IP address is required for each virtual host certificate. If you have
+# multiple certificates, install each certificate file as
+# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
+# for the certificate's domain name. So, if TLS_CERTFILE is set to
+# /etc/certificate.pem, then you'll need to install the actual certificate
+# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
+# and so on, for each IP address.
+#
+# GnuTLS only (servers only):
+#
+# GnuTLS implements a new TLS extension that eliminates the need to have a
+# dedicated IP address for each SSL/TLS domain name. Install each certificate
+# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
+# then you'll need to install the actual certificate files as
+# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
+# and so on.
+#
+# Note that this TLS extension also requires a corresponding support in the
+# client. Older SSL/TLS clients may not support this feature.
+#
+# This is an experimental feature.
+
TLS_CERTFILE=/etc/courier/imapd.pem
##NAME: TLS_TRUSTCERTS:0
@@ -159,9 +273,9 @@
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
-#
-# TLS_TRUSTCERTS=
+TLS_TRUSTCERTS=/etc/ssl/certs
+
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
@@ -176,6 +290,27 @@
#
TLS_VERIFYPEER=NONE
+
+##NAME: TLS_EXTERNAL:0
+#
+# To enable SSL certificate-based authentication:
+#
+# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate
+# authority's SSL certificate
+#
+# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings
+# requires all SSL clients to present a certificate, and rejects
+# SSL/TLS connections without a valid cert).
+#
+# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID.
+# Example:
+#
+# TLS_EXTERNAL=emailaddress
+#
+# The above example retrieves the login ID from the "emailaddress" subject
+# field. The certificate's emailaddress subject must match exactly the login
+# ID in the courier-authlib database.
+
##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for IMAP clients
Modified: trunk/vhffs-doc/config/courier/pop3d
===================================================================
--- trunk/vhffs-doc/config/courier/pop3d 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/pop3d 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,11 +1,11 @@
-##VERSION: $Id: pop3d.dist.in,v 1.9 2004/04/18 15:54:39 mrsam Exp $
+##VERSION: $Id: pop3d.dist.in,v 1.16 2005/07/05 12:42:51 mrsam Exp $
#
# pop3d created from pop3d.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
-# Copyright 1998 - 2002 Double Precision, Inc. See COPYING for
+# Copyright 1998 - 2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# Courier POP3 daemon configuration
@@ -28,45 +28,6 @@
MAXPERIP=4
-##NAME: AUTHMODULES:0
-#
-#########################################################################
-##
-## Authentication modules which attempt to validate userid/password
-## combinations. See authpam(8) for more information. The default set
-## is installed at configuration time. You may have to edit the following
-## to remove unnecessary authentication modules. In particular, if
-## authpam is included in the list below, you will have to remove authpwd
-## and authshadow, since their functionality is included in the authpam
-## module.
-##
-#########################################################################
-#
-# If this is currently set to AUTHMODULES="authdaemon", DO NOT CHANGE IT.
-# Instead, change the parameter authmodulelist in authdaemonrc.
-
-AUTHMODULES="authdaemon"
-
-
-##NAME: AUTHMODULES_ORIG:0
-#
-# This setting is for use with webadmin
-
-AUTHMODULES_ORIG="authdaemon"
-
-##NAME: DEBUG_LOGIN:0
-#
-# Dump additional login diagnostics to syslog
-#
-# DEBUG_LOGIN=0 - turn off login debugging
-# DEBUG_LOGIN=1 - turn on login debugging
-# DEBUG_LOGIN=2 - turn on login debugging + log passwords too
-#
-# Note that most information is sent to syslog at level 'debug', so
-# you may need to modify your /etc/syslog.conf to be able to see it.
-
-DEBUG_LOGIN=1
-
##NAME: POP3AUTH:1
#
# To advertise the SASL capability, per RFC 2449, uncomment the POP3AUTH
@@ -74,18 +35,18 @@
#
# POP3AUTH="LOGIN"
#
-# If you have configured the CRAM-MD5 or CRAM-SHA1, set POP3AUTH to something
-# like this:
+# If you have configured the CRAM-MD5, CRAM-SHA1 or CRAM-SHA256, set POP3AUTH
+# to something like this:
#
# POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH=""
-##NAME: POP3AUTH_ORIG:0
+##NAME: POP3AUTH_ORIG:1
#
# For use by webadmin
-POP3AUTH_ORIG="LOGIN CRAM-MD5 CRAM-SHA1"
+POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
##NAME: POP3AUTH_TLS:1
#
@@ -102,6 +63,19 @@
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
+##NAME: POP3_PROXY:0
+#
+# Enable proxying. See README.proxy
+
+POP3_PROXY=0
+
+##NAME: PROXY_HOSTNAME:0
+#
+# Override value from gethostname() when checking if a proxy connection is
+# required.
+
+# PROXY_HOSTNAME=
+
##NAME: PORT:1
#
# Port to listen on for connections. The default is port 110.
@@ -128,6 +102,24 @@
TCPDOPTS="-nodnslookup -noidentlookup"
+##NAME: LOGGEROPTS:0
+#
+# courierlogger(1) options.
+#
+
+LOGGEROPTS="-name=pop3d"
+
+##NAME: DEFDOMAIN:0
+#
+# Optional default domain. If the username does not contain the
+# first character of DEFDOMAIN, then it is appended to the username.
+# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
+# only if the username does not contain any character from DOMAINSEP.
+# You can set different default domains based on the the interface IP
+# address using the -access and -accesslocal options of couriertcpd(1).
+
+#DEFDOMAIN="@example.com"
+
##NAME: POP3DSTART:0
#
# POP3DSTART is not referenced anywhere in the standard Courier programs
Modified: trunk/vhffs-doc/config/courier/pop3d-ssl
===================================================================
--- trunk/vhffs-doc/config/courier/pop3d-ssl 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/courier/pop3d-ssl 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,11 +1,11 @@
-##VERSION: $Id: pop3d-ssl.dist.in,v 1.11 2004/06/14 00:56:07 mrsam Exp $
+##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $
#
# pop3d-ssl created from pop3d-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
-# Copyright 2000-2002 Double Precision, Inc. See COPYING for
+# Copyright 2000-2008 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
@@ -30,8 +30,8 @@
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
-# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
-# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
+# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900"
+# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
@@ -47,12 +47,15 @@
##NAME: SSLPIDFILE:0
#
-# You can also redefine AUTHMODULES, although I can't
-# think of why you'd want to do that.
+
+SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
+
+##NAME: SSLLOGGEROPTS:0
#
+# courierlogger(1) options.
#
-SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
+SSLLOGGEROPTS="-name=pop3d-ssl"
##NAME: POP3DSSLSTART:0
#
@@ -76,11 +79,9 @@
##NAME: COURIERTLS:0
#
-# The following variables configure POP3 over SSL. If OpenSSL is available
-# during configuration, the couriertls helper gets compiled, and upon
-# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
-# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
-# and COURIERTLS exist.
+# The following variables configure POP3 over SSL. If OpenSSL or GnuTLS
+# is available during configuration, the couriertls helper gets compiled, and
+# upon installation a dummy TLS_CERTFILE gets generated.
#
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to be
@@ -92,17 +93,36 @@
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
+# OpenSSL:
+#
# SSL2 - SSLv2
# SSL3 - SSLv3
+# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
# TLS1 - TLS1
+#
+# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
+# setting, below.
+#
+# GnuTLS:
+#
+# SSL3 - SSLv3
+# TLS1 - TLS 1.0
+# TLS1_1 - TLS 1.1
+#
+# When compiled against GnuTLS, multiple protocols can be selected as follows:
+#
+# TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
+#
+# DEFAULT VALUES:
+#
+# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)
-TLS_PROTOCOL=SSL3
-
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
# extension, as opposed to POP3 over SSL on port 995.
#
+# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
TLS_STARTTLS_PROTOCOL=TLS1
@@ -112,8 +132,75 @@
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
-# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+# OpenSSL:
+#
+# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
+#
+# To enable SSL2, remove the obvious "!SSLv2" part from the above list.
+#
+#
+# GnuTLS:
+#
+# TLS_CIPHER_LIST="HIGH:MEDIUM"
+#
+# The actual list of available ciphers depend on the options GnuTLS was
+# compiled against. The possible ciphers are:
+#
+# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
+#
+# Also, the following aliases:
+#
+# HIGH -- all ciphers that use more than a 128 bit key size
+# MEDIUM -- all ciphers that use a 128 bit key size
+# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
+# is not included
+# ALL -- all ciphers except the NULL cipher
+
+##NAME: TLS_MIN_DH_BITS:0
+#
+# TLS_MIN_DH_BITS=n
+#
+# GnuTLS only:
+#
+# Set the minimum number of acceptable bits for a DH key exchange.
+#
+# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
+# have been encountered that offer 512 bit keys. You may have to set
+# TLS_MIN_DH_BITS=512 here, if necessary.
+
+##NAME: TLS_KX_LIST:0
+#
+# GnuTLS only:
+#
+# Allowed key exchange protocols. The default of "ALL" should be sufficient.
+# The list of supported key exchange protocols depends on the options GnuTLS
+# was compiled against, but may include the following:
+#
+# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
+
+TLS_KX_LIST=ALL
+
+##NAME: TLS_COMPRESSION:0
+#
+# GnuTLS only:
+#
+# Optional compression. "ALL" selects all available compression methods.
+#
+# Available compression methods: DEFLATE, LZO, NULL
+
+TLS_COMPRESSION=ALL
+
+##NAME: TLS_CERTS:0
+#
+# GnuTLS only:
+#
+# Supported certificate types are X509 and OPENPGP.
+#
+# OPENPGP has not been tested
+
+TLS_CERTS=X509
+
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
@@ -121,7 +208,7 @@
##NAME: TLS_DHCERTFILE:0
#
-# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
+# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used. In most situations the
# DH pair is to be treated as confidential, and the file specified by
@@ -133,8 +220,34 @@
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
-# treated as confidential, and must not be world-readable.
+# treated as confidential, and must not be world-readable. Set TLS_CERTFILE
+# instead of TLS_DHCERTFILE if this is a garden-variety certificate
#
+# VIRTUAL HOSTS (servers only):
+#
+# Due to technical limitations in the original SSL/TLS protocol, a dedicated
+# IP address is required for each virtual host certificate. If you have
+# multiple certificates, install each certificate file as
+# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
+# for the certificate's domain name. So, if TLS_CERTFILE is set to
+# /etc/certificate.pem, then you'll need to install the actual certificate
+# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
+# and so on, for each IP address.
+#
+# GnuTLS only (servers only):
+#
+# GnuTLS implements a new TLS extension that eliminates the need to have a
+# dedicated IP address for each SSL/TLS domain name. Install each certificate
+# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
+# then you'll need to install the actual certificate files as
+# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
+# and so on.
+#
+# Note that this TLS extension also requires a corresponding support in the
+# client. Older SSL/TLS clients may not support this feature.
+#
+# This is an experimental feature.
+
TLS_CERTFILE=/etc/courier/pop3d.pem
##NAME: TLS_TRUSTCERTS:0
@@ -148,9 +261,9 @@
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
-#
-# TLS_TRUSTCERTS=
+TLS_TRUSTCERTS=/etc/ssl/certs
+
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
@@ -165,6 +278,26 @@
#
TLS_VERIFYPEER=NONE
+##NAME: TLS_EXTERNAL:0
+#
+# To enable SSL certificate-based authentication:
+#
+# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate
+# authority's SSL certificate
+#
+# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings
+# requires all SSL clients to present a certificate, and rejects
+# SSL/TLS connections without a valid cert).
+#
+# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID.
+# Example:
+#
+# TLS_EXTERNAL=emailaddress
+#
+# The above example retrieves the login ID from the "emailaddress" subject
+# field. The certificate's emailaddress subject must match exactly the login
+# ID in the courier-authlib database.
+
##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for long-running
Modified: trunk/vhffs-doc/config/exim4-mx1/exim4.conf
===================================================================
--- trunk/vhffs-doc/config/exim4-mx1/exim4.conf 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/exim4-mx1/exim4.conf 2011-04-16 15:31:00 UTC (rev 1649)
@@ -1,6 +1,6 @@
hide pgsql_servers = PGHOST/PGDB/PGUSER/PGPASS
MAIL_HOME=/data/mail/boxes
-PGSQL_LOCAL_DOMAINS = ${lookup pgsql{SELECT domain FROM vhffs_mxdomain WHERE domain = '${quote_pgsql:$domain}'}}
+PGSQL_LOCAL_DOMAINS = ${lookup pgsql{SELECT DISTINCT domain FROM vhffs_mxdomain WHERE domain = '${quote_pgsql:$domain}'}}
PGSQL_VIRTUAL_LOCAL_DOMAINS = ${lookup pgsql{select vhffs_boxes.domain from vhffs_boxes, vhffs_mxdomain where local_part = '${quote_pgsql:$local_part}' and vhffs_boxes.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '${quote_pgsql:$domain}' and vhffs_boxes.state = 6}}
PGSQL_VIRTUAL_LOCAL_DIR = MAIL_HOME/${lookup pgsql{select boxes_path from vhffs_mxdomain where domain = '${quote_pgsql:$domain}'}{$value}fail}/${lookup pgsql{select mbox_name from vhffs_boxes where domain = '${quote_pgsql:$domain}' and local_part = '${quote_pgsql:$local_part}'}{$value}fail}/Maildir
PGSQL_VIRTUAL_FORWARD_DATA = ${lookup pgsql{select remote_name from vhffs_forward, vhffs_mxdomain where local_part = '${quote_pgsql:$local_part}' and vhffs_forward.domain = vhffs_mxdomain.domain and vhffs_mxdomain.domain = '${quote_pgsql:$domain}'}}
@@ -15,8 +15,8 @@
LISTENGINE_HOME=/usr/lib/vhffs/listengine/
LISTENGINE_QUEUE=LISTENGINE_HOME/listengine.pl
-LISTENGINE_UID=www-data
-LISTENGINE_GID=www-data
+LISTENGINE_UID=listengine
+LISTENGINE_GID=listengine
exim_path = /usr/sbin/exim4
@@ -43,9 +43,11 @@
message_size_limit = 10M
-smtp_accept_max = 120
+smtp_accept_max = 100
+smtp_accept_max_per_host = 10
-smtp_accept_queue_per_connection = 100
+smtp_accept_max_per_connection = 10000
+smtp_accept_queue_per_connection = 10000
smtp_load_reserve = 50.0
@@ -83,7 +85,7 @@
# {}}
acl_check_rcpt:
- accept hosts = :
+ accept hosts = :
# deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
# !acl = acl_whitelist_local_deny
@@ -97,9 +99,9 @@
# {CONFDIR/local_host_blacklist}\
# {}}
- drop condition = ${if eq{$sender_helo_name}{}{yes}{no}}
- message = HELO/EHLO required by SMTP RFC.\n\
- Bye dude!
+# drop condition = ${if eq{$sender_helo_name}{}{yes}{no}}
+# message = HELO/EHLO required by SMTP RFC.\n\
+# Bye dude!
# accept senders = ${if exists{CONFDIR/whitelist_sender}\
# {CONFDIR/whitelist_sender}\
@@ -342,7 +344,7 @@
group = Debian-exim
mode = 0666
directory_mode = 0700
- maildir_use_size_file
+# maildir_use_size_file
# quota = PGSQL_VIRTUAL_LOCAL_QUOTA
# quota_filecount = PGSQL_VIRTUAL_LOCAL_QFILE
# maildir_quota_directory_regex = ^(?:cur|new|\..*)$
@@ -412,7 +414,7 @@
#* quota_7d
#* quota F,2h,15m; F,3d,1h
-* * F,4h,1h; G,20h,1h,1.5; F,3d,12h
+* * F,15m,15m; F,4h,1h; G,20h,1h,1.5; F,3d,12h
begin rewrite
Modified: trunk/vhffs-doc/config/exim4-mx2/exim4.conf
===================================================================
--- trunk/vhffs-doc/config/exim4-mx2/exim4.conf 2011-04-05 22:23:31 UTC (rev 1648)
+++ trunk/vhffs-doc/config/exim4-mx2/exim4.conf 2011-04-16 15:31:00 UTC (rev 1649)
@@ -31,15 +31,17 @@
message_size_limit = 10M
-smtp_accept_max = 120
+smtp_accept_max = 100
+smtp_accept_max_per_host = 10
+smtp_accept_max_per_connection = 1000
smtp_accept_queue_per_connection = 100
-smtp_load_reserve = 40.0
+smtp_load_reserve = 20.0
-deliver_queue_load_max = 2.0
+deliver_queue_load_max = 5.0
-queue_only_load = 2.0
+queue_only_load = 5.0
host_lookup = *
rfc1413_hosts = *
@@ -51,7 +53,7 @@
timeout_frozen_after = 30d
-remote_max_parallel = 35
+remote_max_parallel = 25
#freeze_tell = postmaster
spool_directory = /var/spool/exim4
@@ -85,9 +87,9 @@
# {CONFDIR/local_host_blacklist}\
# {}}
- drop condition = ${if eq{$sender_helo_name}{}{yes}{no}}
- message = HELO/EHLO required by SMTP RFC.\n\
- Bye dude!
+# drop condition = ${if eq{$sender_helo_name}{}{yes}{no}}
+# message = HELO/EHLO required by SMTP RFC.\n\
+# Bye dude!
# accept senders = ${if exists{CONFDIR/whitelist_sender}\
# {CONFDIR/whitelist_sender}\
@@ -189,7 +191,6 @@
domains = PGSQL_RELAY_CHECKLOCALPART
transport = remote_smtp
same_domain_copy_routing = yes
- ignore_target_hosts = !212.85.158.8 : *
no_more
#spamcheck_router:
@@ -285,7 +286,7 @@
#* quota_7d
#* quota F,2h,15m; F,3d,1h
-* * F,4h,1h; G,20h,1h,1.5; F,6d,12h; F,24d,1d
+* * F,1m,1m; F,4h,1h; G,20h,1h,1.5; F,6d,12h; F,24d,1d
begin rewrite