Hi,
I'm working on getting TLS going with 4.0.5 and 4.0.6b3,
and I've discovered that 4.0.6b3 refuses to find/read the
qpopper.config file. 4.0.5 has no problems with this, using the
same file.
Platform: Solaris 9
Code compiled with the following settings:
CC=cc ./configure \
--prefix=/opt/maild \
--enable-debugging \
--enable-keep-temp-drop \
--enable-nonauth-file=/etc/pop.nonauth \
--enable-log-login \
--disable-hash-dir-check \
--disable-old-spool-loc \
--enable-hash-spool=3 \
--with-pam=pop3 \
--enable-uw-kludge \
--enable-temp-drop-dir=/var/spool/pop \
--enable-server-mode \
--enable-low-debug \
--with-openssl=/opt/openssl
Config file is: /opt/maild/qpopper.config, perms are 644 (attached).
/etc/inetd.conf entry on the server machine is:
pop3 stream tcp nowait root /opt/maild/popper popper -l 1 -f
/opt/maild/qpopper.config -d -t /tmp/trace-file
What happens:
% telnet machine 110
Trying {IP number disguised]....
Connected to machine.colby.edu.
Escape character is '^]'.
Unable to process config file /opt/maild/qpopper.config
Connection to machine.colby.edu closed by foreign host.
(nothing appears in the trace-file)
Jeff Earickson
Colby College
#---------------------------------------------------------------------
# Sample Qpopper 4.0 configuration file.
#
# This file lists all Qpopper configuration file options. To use,
# copy the desired setting to your own configuration file, remove
# the leading '#' and set the desired value.
#
#---------------------------------------------------------------------
# An integer value for the number of seconds to announce in
# the CAPA response for the server's minimum login delay.
#
# Default:
#
# set announce-login-delay =
# An integer value for the number of days to announce in
# the CAPA response for the server's maximum message
# retention period.
#
# Default:
#
# set announce-expire =
# The full path to the bulletins directory.
#
# Default: /var/spool/bulls
#
# set bulldir = "/var/spool/bulls"
# Set TRUE to permit sessions to continue even if the
# bulletins database can't be accessed. This permits
# users to get their mail, but they might not see some
# bulletins for a while, or at all.
#
# Only valid when compiled with '--enable-bulldb'.
#
# Default: false.
#
# set bulldb-nonfatal = false
# Sets the maximum number of attempts to lock the bulletins
# database. You normally do not need to adjust this. This value
# should only be changed if you know if your system has usleep(3C)
# or not. On systems with usleep(3C), this can be a large value
# (the default is 75). On systems without usleep(3C), this should
# remain small (the default is 10).
#
# Only valid when compiled with '--enable-bulldb'.
#
# Default: 75 (10 on systems without usleep(3c)).
#
# set bulldb-max-tries = 75
# Sets clear text handling options. Values are:
# o 'default' Clear text passwords are permitted for all users,
# except those in the APOP database
# o 'never' Clear text passwords are never permitted
# o 'always' Clear text passwords are always permitted
# o 'local' Clear text passwords are permitted on the local
# (127.*.*.*) loop back interface only
# o 'tls' Clear text passwords are permitted when TLS/SSL
# has been negotiated for the session
# o 'ssl' Same as tls
#
# The 'tls' and 'ssl' values are only valid if '--with-openssl' or
# '--with-sslplus' was used with ./configure.
#
# Default: default
#
set clear-text-password = never
# Reads additional run-time options from the specified file.
#
# Caution. There are no restrictions on which options may
# appear in files specified with the '-f' command-line flag
# or the 'config-file' configuration file option in files
# chained from -f. Be certain that the file specified with
# '-f' or in any files it chains to are not writable by
# users.
#
# Default: none
#
# set config-file = /etc/mail/pop/qpopper.config
# Enables debug logging. Output is in syslog. If this option is used,
# it should be first, so that debug records are generated for subsequent
# options.
#
# Only valid if ./configure was run with '--enable-debugging'
#
# Default: false
#
# set debug = false
# Changes uppercase user names to lowercase. This permits users to
# configure their clients with user names in UPPER or MiXeD case.
# They can then login, assuming their actual user name is all
# lowercase.
#
# Default: false
#
# set downcase-user = false
# If '--with-drac' used with ./configure, this option specifies the DRAC
# host.
#
# Default: localhost
#
# set drac-host = localhost
# Enables Kerberos support.
#
# Only valid if ./configure run with '--enable-kerberos5'.
#
# Default: false
#
# set kerberos = false
# Specifies the Kerberos service to use (same as the compile time
# KERBEROS_SERVICE define). The default is rcmd, although the use of
# pop is popular.
#
# Only valid if ./configure run with '--enable-kerberos5'.
#
# Default: rcmd
#
# set kerberos-service = "rcmd"
# Checks if mail lock needs to be refreshed every this many messages.
#
# You normally do not need to adjust this. See "Performance" in the
# Qpopper Administrator's Guide for more information.
#
# Default:
#
# set mail-lock-check =
# Disables the reverse lookups on client IP addresses.
#
# Default: true
#
# set reverse-lookup = true
# Enables server mode by default. See the Qpopper Administrator's
# Guide for more information.
#
# Default: false
#
# set server-mode = false
# Enables statistics logging. After each session ends, a statistics
# record is written to the log. This record resembles the following
# example: 'stats randy 0 0 1 385 randy.example.org 192.168.2.4' and
# has the following meaning:
# Username: 'randy'
# Deleted messages: 0
# Deleted octets: 0
# Messages left on server: 1
# Octets left on server: 385
# Name of client machine: 'randy.example.org'
# IP address of client machine: '192.168.2.4'
#
# Default: false
#
# set statistics = false
# Sets the timeout for network reads. Qpopper terminates the
# connection with the client if no input is received in this
# many seconds. RFC 1939 states that this timeout must be
# 600 seconds (10 minutes). However, ideal settings in some
# cases are between 30 and 120 seconds. In other cases the 600
# value is best, and sometimes a value in between is better.
#
# Default: 120
#
set timeout = 300
# Enables debug logging if '--enable-debugging' was used with
# ./configure. All debug and standard log records are written to
# the specified file. If this option is used, it should be first,
# so that debug records are generated for subsequent options.
#
# If used without '--enable-debugging', redirects all log messages
# to the specified file but does not enable debug logging.
#
# Default: none
#
# set tracefile =
# Reads additional run-time options from a file named
# '.qpopper-options' in the user's home directory, if present.
#
# This file is normally owned by the user.
#
# Default: false
#
# set user-options = false
# Reads additional run-time options from a file named
# 'username.qpopper-options' in the spool directory.
#
# This file should not be owned by nor writable by the user.
#
# Default: false
#
# set spool-options = false
# When updating the spool at the end of a session, this option
# instructs Qpopper to rename the temporary file to the spool instead
# of copying it. This reduces I/O at session end by a third, but is
# likely to break programs such as biff or the shell's mail check
# feature. Use this option only if such programs are not used. It is
# safest to only enable this option when users do not have shell
# access to the mail server.
#
# See "Performance" in the Qpopper Administrator's Guide for more
# information.
#
# Default: false
#
# set fast-update = false
# When set, domains are trimmed from user names before use. For
# example, if a user named 'maida' enters her login name in her POP
# client as '[EMAIL PROTECTED]', Qpopper treats this as just 'maida'.
#
# Default: false
#
# set trim-domain = false
# Specifies TLS/SSL support. The permitted values are:
# o 'default' TLS/SSL is not supported
# o 'none' Same as default
# o 'stls' Enables support for the STLS command. This
# permits TLS/SSL negotiations on the
# standard (or any) port, allowing the same
# port to be used by TLS/SSL and regular
# clients.
# o 'alternate-port' Enables alternate-port TLS/SSL. Some older
# clients require this. (The usual port for
# alternate-port TLS/SSL with pop is 995.)
#
# Only valid when '--with-openssl' or '--with-sslplus' used with
# ./configure
#
# Default: default
#
set tls-support = stls
# Specifies the permitted cipher suites. See the OpenSSL documentation
# for syntax. You normally do not need to set this.
#
# Only valid when '--with-openssl' used with ./configure
#
# Default:
#
# set tls-cipher-list =
# Restricts the version of TLS/SSL recognized in session negotiations.
# You normally do not need to set this. Supported values are:
# o 'default' (same as SSLv23)
# o 'SSLv2' Forces Qpopper only to understand SSLv2 client hello
# messages.
# o 'SSLv3' Forces Qpopper only to understand SSLv3 client hello
# messages. This especially means that it does not
# understand SSLv2 client hello messages, which are
# widely used for compatibility reasons.
# o 'TLSv1' Forces Qpopper only to understand TLSv1 client hello
# messages. This especially means that it does not
# understand SSLv2 client hello messages, which are
# widely used for compatibility reasons. It also does
# not understand SSLv3 client hello messages.
# o 'SSLv23' Allows Qpopper to understand SSLv2, SSLv3, and TLSv1
# client hello messages. This is the best choice when
# compatibility is a concern. This is the default
# value.
# o 'all' (same as SSLv23)
#
# Only valid when '--with-openssl' used with ./configure
#
# Default: default
#
# set tls-version = default
# Specifies the file containing the server's TLS/SSL certificate and
# encrypted private key.
#
# Only valid if '--with-sslplus' used with ./configure.
#
# Default: none
#
# set tls-identity-file =
# This option allows various OpenSSL options to be set. OpenSSL
# options are individual bits that control various work-arounds.
#
# The bit values are listed in openssl/ssl.h, and start with SSL_OP_.
# You must specify the actual value of the bit(s) you want to set,
# not the OpenSSL mnemonic.
#
# For example, to set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, set
# tls-options to 0x00000800.
#
# Note that unlike other options, if you set this option more than
# once, the values are added together. For example, if you set
# tls-options to 0x01, and then later set it to 0x10, it gets set to
# 0x11. This makes is somewhat more convenient to set various SSL
# options without having to manually add them together.
#
# Only valid if '--with-openssl' used with ./configure
#
# Default: 0
#
# set tls-options = 0
# Specifies the passphrase to decrypt the server's private key (in the
# identify file).
#
# Only valid if '--with-sslplus' used with ./configure.
#
# Default: none
#
# set tls-passphrase =
# Specifies a file which contains the server's TLS/SSL private key.
# Note: This private key must not be encrypted.
#
# If the private key is contained in the same file as the certificate
# (as specified with tls-server-cert-file), you do not need to set
# this option.
#
# Only valid if '--with-openssl' used with ./configure
#
# Default: none
#
set tls-private-key-file = /opt/openssl/ssl/private/mail-hub.key.nopasswd
# Specifies the file which contains the server's TLS/SSL certificate.
# This file may also contain the server's unencrypted private key.
#
# Only valid if '--with-openssl' used with ./configure
#
# Default: none
#
#
set tls-server-cert-file = /opt/openssl/ssl/certs/mail-hub.cert
# When set, and Qpopper is being used with OpenSSL, Qpopper enables
# all OpenSSL workarounds by setting the SSL_OP_ALL option.
#
# Only valid if '--with-openssl' used with ./configure
#
# Default: false
#
set tls-workarounds = true
# When set, Qpopper writes a log record at the end of a session
# containing the elapsed time for the session authentication,
# initialization. and cleanup.
#
# Default: false
#
set timing = true
# When set, Qpopper checks for old .user.pop files in old locations
# when hash-spool or homedirmail is used. When reset, Qpopper skips
# this check, which speeds things up.
#
# Default: true
#
# set check-old-spool-loc = true
# When set, Qpopper checks for and creates if needed the hashed spool
# directories. When reset, Qpopper doesn't check for or create the
# hashed spool directories. Set to false if you precreate the
# directories.
#
# Default: true
#
# set check-hash-dir = false
# When set, Qpopper checks for expired passwords (if the platform
# permits). When reset, Qpopper omits this check.
#
# Default: true
#
# set check-password-expired = true
# Determines whether Qpopper updates the read/unread status of
# messages (a feature relied on by some mail clients). Also
# determines if Qpopper saves the message's unique identifier
# (UID) in the spool.
#
# When reset, it forces the UID for every message to be
# recalculated, using more CPU but potentially less I/O.
#
# See the "Performance" section of the Qpopper Administrator's Guide
# for more information.
#
# Default: true
#
# set update-status-headers = true
# Determines whether Qpopper enters update state when a session
# aborts. Resetting this option causes Qpopper to ignore any
# deletions if the session is aborted.
#
# Note that RFC 1939, section 6 prohibits the default behavior,
# but experience showed that otherwise users on noisy lines were
# often unable to delete their mail. Reset this option to inhibit
# the default behavior, and obey RFC 1939, but watch for users who
# download the same messages over and over, or whose spools fill up.
#
# Default: true
#
# set update-on-abort = true
# When set, Qpopper automatically and unconditionally deletes messages
# that have been downloaded using the RETR command (the normal command
# for accessing messages).
#
# Caution: This option could result in lost mail. Be sure to
# inform your users that the option is in effect before enabling.
#
# Default: false
#
# set auto-delete = false
# When set, Qpopper shows bulletins to users by groups (the group name
# is the second dot-separated element in each bulletin's name). See
# "Using Bulletins" in the Qpopper Administrator's Guide for more
# information. Use a group name of 'ALL' for all users.
#
# Default: false
#
# set group-bulletins = false
# When set to a 1 or 2, the subdirectory for the mail spools is
# determined from the user name by either (1) hashing the first four
# characters or (2) by using directories equal to the first letter and
# the second letter (if any). For example, if the spool directory is
# '/var/mail', the spool file for user 'maida' would be:
# '/var/mail/maida' hash-spool = 0
# '/var/mail/o/maida' hash-spool = 1
# '/var/mail/m/a/maida' hash-spool = 2
#
# See the "Performance" section of the Qpopper Administrator's Guide
# for more information.
#
# Default: 0
#
# set hash-spool = 0
# To have the user's home directory be the spool location, set this
# option to be the correct file name for the spool.
#
# Default: none
#
# set home-dir-mail = ".mail"
# When set, instructs Qpopper to generate message unique identifiers
# (UIDs) using old (pre-3.x) style encoding. This is useful only if
# you also set 'update-status-headers' to false, have existing users
# with old (pre-3.x) spool files, and you want to keep the UIDs the
# same.
#
# Default: false
#
# set old-style-uid = false
# When set, Qpopper checks for and hides status messages created by
# University of Washington software.
#
# Default: false
#
# set UW-kluge = false
# When set, Qpopper keeps (does not delete) the '.user.pop' file (the
# temporary drop file). Normally this file is deleted when the
# session ends. Some sites like to retain it to determine the last
# time a user has accessed his or her mail.
#
# Default: false
#
# set keep-temp-drop = false
# When set, causes server mode to be on for users who are members of
# the specified group. See the "Enabling Server Mode" and
# "Performance" sections of the Qpopper Administrator's Guide for more
# information.
#
# Default: none
#
# set group-server-mode =
# When set, causes server mode to be off for users who are members of
# the specified group. See the "Enabling Server Mode" and
# "Performance" sections of the Qpopper Administrator's Guide for more
# information.
#
# Default: none
#
# set group-no-server-mode =
# Specifies a file that permits only users listed in the file to have
# Qpopper access. The format is a list of user names, one per line.
#
# Default: none
#
# set auth-file =
# Specifies a file that denies access to users listed in the file.
# The format is a list of user names, one per line.
#
# Default: none
#
set nonauth-file = /etc/pop.nonauth
# Set this option if you don't want Qpopper to display its version in
# the POP protocol banner or CAPA IMPLEMENTATION response of
# unauthenticated users.
# Some sites believe this improves security since it avoids advertising
# that an old version (perhaps with known vulnerabilities) is being
# used. Others feel is makes the site more likely to be attacked,
# since it also avoids advertising when running a secure version.
#
# Default: false
#
# set shy = false
# Set this to the full path to sendmail or other such program used to
# submit new messages. Qpopper uses this to implement XTND XMIT.
#
# The default is determined at compile time.
#
#
# set mail-command = /usr/sbin/sendmail
# Set this to the full path to the mail spool directory.
#
# The default is determined at compile time.
#
# set spool-dir = /var/spool/mail
# If you do not want '.user.pop' (temporary drop files) to be in the
# spool directory, set this to the full path to the directory to be
# used for temp drop files. Note that use of /tmp is not recommended,
# because a system reboot will wipe out the files. This could cause
# lost mail.
#
# Default: spool directory
#
# set temp-dir =
# The name of the temporary drop files. You should not normally set
# this option.
#
# Default: ".%s.pop"
#
# set temp-name = ".%s.pop"
# If you do not want user cache files to be in the same directory as
# temporary drop files, set this to the full path to the directory for
# cache files. Note that use of /tmp is not recommended, because a
# system reboot wipes out the files.
#
# Default: temp-dir
#
# set cache-dir =
# The name of the cache files. You should not normally set this
# option.
#
# Default: ".%s.cache"
#
# set cache-name = ".%s.cache"
# Specifies the maximum number of old bulletins seen by new users.
#
# Default: 1
#
# set max-bulletins = 1
# When set, Qpopper uses a method of opening lock files that may work
# over NFS. This has not been thoroughly tested, however.
#
# Default: false
#
# set no-atomic-open = false
# Qpopper sends network output to client in small chunks (for example,
# line-by-line when sending a message). By default, Qpopper
# aggregates data to be sent to clients in large chunks. This may be
# faster or slower, depending on specifics of both the client and
# server hardware and networking stacks as wel as network elements in
# between (such as routers). Also, some networking stacks do their
# own aggregation.
#
# Under congested network conditions, larger packets increase the
# incidence of lost packets and thus client or server timeouts,
# leading to "POP timeout" or "EOF" errors.
#
# When TLS/SSL is in effect, smaller packets increase the overhead
# needed to send data, which may result in worse performance.
#
# You can adjust the Qpopper behavior by setting this option. The
# values are:
# o 'default' Always send large chunks
# o 'always' Same as 'default'
# o 'never' Never aggregate data into large chunks
# o 'tls' Only aggregate data into large chunks when TLS/SSL
# has been negotiated for the session
# o 'ssl' Same as 'tls'
#
# Default: default
#
# set chunky-writes = default
# Specifies the log facility that Qpopper uses.
#
# Note that this does not apply to popauth, nor to the daemon in
# standalone mode. These continue to use the compile-time default.
#
# Values are:
# o 'mail' Qpopper logs to LOG_MAIL facility.
# o 'local0' Qpopper logs to LOG_LOCAL0 facility.
# o 'local1' Qpopper logs to LOG_LOCAL1 facility.
# o 'local2' Qpopper logs to LOG_LOCAL2 facility.
# o 'local3' Qpopper logs to LOG_LOCAL3 facility.
# o 'local4' Qpopper logs to LOG_LOCAL4 facility.
# o 'local5' Qpopper logs to LOG_LOCAL5 facility.
# o 'local6' Qpopper logs to LOG_LOCAL6 facility.
# o 'local7' Qpopper logs to LOG_LOCAL7 facility.
#
# Default: determined at compile time, usually LOG_LOCAL0 or
# LOG_MAIL, depending on the operating system.
#
# set log-facility = local1
# When set, Qpopper logs successful authentications using the
# specified string. Within the string, an occurrence of '%0' is
# replaced with the Qpopper version, '%1' with the user name, '%2'
# with the user's host name, and '%3' with the user's IP address.
#
# Default: none, unless '--enable-log-login' used with ./configure,
# in which case "(v%0) POP login by user /"%1/" at (%2) %3" is used.
#
# set log-login = "(v%0) POP login by user /"%1/" at (%2) %3"
