# HG changeset patch # User Sunil Nimmagadda # Date 1483957835 -18030 # Node ID 6903f7870c4c3f83493a581d6803ac9733cf101e # Parent dcd95d2f3567719fbb3b7c15dd18736d485fc9f0 Provide an option to specify cert/key on commandline. While here, document new options and fix mandoc lint warnings. diff -r dcd95d2f3567 -r 6903f7870c4c pop3d.8 --- a/pop3d.8 Mon Jan 09 15:30:07 2017 +0500 +++ b/pop3d.8 Mon Jan 09 15:31:05 2017 +0500 @@ -20,7 +20,9 @@ .Nd Post Office Protocol (POP3) daemon. .Sh SYNOPSIS .Nm +.Op Fl c Ar certfile .Op Fl d +.Op Fl k Ar keyfile .Op Fl p Ar path .Op Fl t Ar type .Sh DESCRIPTION @@ -34,13 +36,17 @@ .Pp The options are as follows: .Bl -tag -width Ds +.It Fl c Ar certfile +Specify the certificate file. Defaults to /etc/ssl/server.crt. .It Fl d Do not daemonize. If this option is specified, .Nm will run in foreground and log to .Em stderr . +.It Fl k Ar keyfile +Specify the key file. Defaults to /etc/ssl/private.key. .It Fl p -Path to the maildrop. Defaults to /var/mail/%u in case of mbox and +Path to the maildrop. Defaults to /var/mail/%u in case of mbox and ~/Maildir in case of maildir. .Nm expands '~' to user's home dir @@ -49,14 +55,11 @@ Specify maildrop type. Options are mbox and maildir. Defaults to mbox. .El .Sh FILES -.Bl -tag -width "/etc/ssl/private/server.key" -compact +.Bl -tag -width Ds -compact .It Pa ~/maildir .It Pa /var/mail/%u User maildrops -.Pp -.It /etc/ssl/server.crt -.It /etc/ssl/private/server.key -Location of SSL certificate and key +.El .Sh SEE ALSO .Xr smtpd 8 , .Xr ssl 8 @@ -82,5 +85,6 @@ .%A M. Yevstifeyev .%D August 2011 .%R draft-melnikov-pop3-over-tls-02 +.Re .Sh CAVEATS POP3 authenticates using cleartext passwords on 110(POP3) port. diff -r dcd95d2f3567 -r 6903f7870c4c pop3d.c --- a/pop3d.c Mon Jan 09 15:30:07 2017 +0500 +++ b/pop3d.c Mon Jan 09 15:31:05 2017 +0500 @@ -38,6 +38,8 @@ #define MBOX_PATH "/var/mail/%u" #define MAILDIR_PATH "~/Maildir" #define POP3D_USER "_pop3d" +#define CERTFILE "/etc/ssl/server.crt" +#define KEYFILE "/etc/ssl/private/server.key" static void authenticate(struct imsgev *, struct imsg *); static void pop3e_imsgev(struct imsgev *, int , struct imsg *); @@ -56,13 +58,20 @@ struct passwd *pw; struct event ev_sigint, ev_sigterm, ev_sighup, ev_sigchld; const char *path = NULL, *mtype_str = "mbox"; + const char *cert = CERTFILE, *key = KEYFILE; int ch, d = 0, pair[2]; - while ((ch = getopt(argc, argv, "dp:t:")) != -1) { + while ((ch = getopt(argc, argv, "c:dk:p:t:")) != -1) { switch (ch) { + case 'c': + cert = optarg; + break; case 'd': d = 1; break; + case 'k': + key = optarg; + break; case 'p': path = optarg; break; @@ -101,7 +110,7 @@ if ((pw = getpwnam(POP3D_USER)) == NULL) fatalx("main: getpwnam " POP3D_USER); - pop3_main(pair, pw); + pop3_main(pair, pw, cert, key); close(pair[1]); setproctitle("[priv]"); logit(LOG_INFO, "pop3d ready; type:%s, path:%s", mtype_str, mpath); @@ -233,7 +242,8 @@ { extern char *__progname; - fprintf(stderr, "usage: %s [-d] [-p path] [-t type]\n", __progname); + fprintf(stderr, "usage: %s [-c certfile] [-d] " + "[-k keyfile] [-p path] [-t type]\n", __progname); exit(EXIT_FAILURE); } diff -r dcd95d2f3567 -r 6903f7870c4c pop3d.h --- a/pop3d.h Mon Jan 09 15:30:07 2017 +0500 +++ b/pop3d.h Mon Jan 09 15:31:05 2017 +0500 @@ -143,7 +143,7 @@ }; /* pop3e.c */ -void pop3_main(int [2], struct passwd *); +void pop3_main(int [2], struct passwd *, const char *, const char *); /* session.c */ void session_init(struct listener *, int, const struct sockaddr_storage *); diff -r dcd95d2f3567 -r 6903f7870c4c pop3e.c --- a/pop3e.c Mon Jan 09 15:30:07 2017 +0500 +++ b/pop3e.c Mon Jan 09 15:31:05 2017 +0500 @@ -48,7 +48,7 @@ void *ssl_ctx; void -pop3_main(int pair[2], struct passwd *pw) +pop3_main(int pair[2], struct passwd *pw, const char *cert, const char *key) { extern struct session_tree sessions; struct event ev_sigint, ev_sigterm; @@ -73,7 +73,7 @@ pop3_listen("pop3"); ssl_init(); - if ((ssl_ctx = ssl_setup()) == NULL) + if ((ssl_ctx = ssl_setup(cert, key)) == NULL) fatal("ssl_setup failed"); pop3_listen("pop3s"); diff -r dcd95d2f3567 -r 6903f7870c4c ssl.c --- a/ssl.c Mon Jan 09 15:30:07 2017 +0500 +++ b/ssl.c Mon Jan 09 15:31:05 2017 +0500 @@ -33,8 +33,6 @@ #define SSL_CIPHERS "HIGH" #define SSL_SESSION_TIMEOUT 300 -#define CERTFILE "/etc/ssl/server.crt" -#define KEYFILE "/etc/ssl/private/server.key" static char *ssl_load_file(const char *, off_t *); @@ -52,7 +50,7 @@ } void * -ssl_setup(void) +ssl_setup(const char *certfile, const char *keyfile) { SSL_CTX *ctx = NULL; char *cert, *key; @@ -73,13 +71,13 @@ SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); /* SSL certificate, key loading */ - cert = ssl_load_file(CERTFILE, &cert_len); + cert = ssl_load_file(certfile, &cert_len); if (cert == NULL) - fatal("ssl_load_file: Unable to load " CERTFILE); + fatal("ssl_load_file: certificate"); - key = ssl_load_file(KEYFILE, &key_len); + key = ssl_load_file(keyfile, &key_len); if (key == NULL) - fatal("ssl_load_file: Unable to load " KEYFILE); + fatal("ssl_load_file: key"); if (!SSL_CTX_set_cipher_list(ctx, SSL_CIPHERS)) goto err; diff -r dcd95d2f3567 -r 6903f7870c4c ssl.h --- a/ssl.h Mon Jan 09 15:30:07 2017 +0500 +++ b/ssl.h Mon Jan 09 15:31:05 2017 +0500 @@ -2,7 +2,7 @@ /* ssl.c */ void ssl_init(void); -void *ssl_setup(void); +void *ssl_setup(const char *, const char *); void *pop3s_init(SSL_CTX *, int); void ssl_error(const char *);