Provide an option to specify cert/key on commandline.
While here, document new options and fix mandoc lint warnings.
--- a/pop3d.8 Mon Jan 09 15:30:07 2017 +0500
+++ b/pop3d.8 Mon Jan 09 15:31:05 2017 +0500
@@ -20,7 +20,9 @@
.Nd Post Office Protocol (POP3) daemon.
.Sh SYNOPSIS
.Nm
+.Op Fl c Ar certfile
.Op Fl d
+.Op Fl k Ar keyfile
.Op Fl p Ar path
.Op Fl t Ar type
.Sh DESCRIPTION
@@ -34,13 +36,17 @@
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl c Ar certfile
+Specify the certificate file. Defaults to /etc/ssl/server.crt.
.It Fl d
Do not daemonize. If this option is specified,
.Nm
will run in foreground and log to
.Em stderr .
+.It Fl k Ar keyfile
+Specify the key file. Defaults to /etc/ssl/private.key.
.It Fl p
-Path to the maildrop. Defaults to /var/mail/%u in case of mbox and
+Path to the maildrop. Defaults to /var/mail/%u in case of mbox and
~/Maildir in case of maildir.
.Nm
expands '~' to user's home dir
@@ -49,14 +55,11 @@
Specify maildrop type. Options are mbox and maildir. Defaults to mbox.
.El
.Sh FILES
-.Bl -tag -width "/etc/ssl/private/server.key" -compact
+.Bl -tag -width Ds -compact
.It Pa ~/maildir
.It Pa /var/mail/%u
User maildrops
-.Pp
-.It /etc/ssl/server.crt
-.It /etc/ssl/private/server.key
-Location of SSL certificate and key
+.El
.Sh SEE ALSO
.Xr smtpd 8 ,
.Xr ssl 8
@@ -82,5 +85,6 @@
.%A M. Yevstifeyev
.%D August 2011
.%R draft-melnikov-pop3-over-tls-02
+.Re
.Sh CAVEATS
POP3 authenticates using cleartext passwords on 110(POP3) port.
--- a/pop3d.c Mon Jan 09 15:30:07 2017 +0500
+++ b/pop3d.c Mon Jan 09 15:31:05 2017 +0500
@@ -38,6 +38,8 @@
#define MBOX_PATH "/var/mail/%u"
#define MAILDIR_PATH "~/Maildir"
#define POP3D_USER "_pop3d"
+#define CERTFILE "/etc/ssl/server.crt"
+#define KEYFILE "/etc/ssl/private/server.key"
static void authenticate(struct imsgev *, struct imsg *);
static void pop3e_imsgev(struct imsgev *, int , struct imsg *);
@@ -56,13 +58,20 @@
struct passwd *pw;
struct event ev_sigint, ev_sigterm, ev_sighup, ev_sigchld;
const char *path = NULL, *mtype_str = "mbox";
+ const char *cert = CERTFILE, *key = KEYFILE;
int ch, d = 0, pair[2];
- while ((ch = getopt(argc, argv, "dp:t:")) != -1) {
+ while ((ch = getopt(argc, argv, "c:dk:p:t:")) != -1) {
switch (ch) {
+ case 'c':
+ cert = optarg;
+ break;
case 'd':
d = 1;
break;
+ case 'k':
+ key = optarg;
+ break;
case 'p':
path = optarg;
break;
@@ -101,7 +110,7 @@
if ((pw = getpwnam(POP3D_USER)) == NULL)
fatalx("main: getpwnam " POP3D_USER);
- pop3_main(pair, pw);
+ pop3_main(pair, pw, cert, key);
close(pair[1]);
setproctitle("[priv]");
logit(LOG_INFO, "pop3d ready; type:%s, path:%s", mtype_str, mpath);
@@ -233,7 +242,8 @@
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-d] [-p path] [-t type]\n", __progname);
+ fprintf(stderr, "usage: %s [-c certfile] [-d] "
+ "[-k keyfile] [-p path] [-t type]\n", __progname);
exit(EXIT_FAILURE);
}
--- a/pop3d.h Mon Jan 09 15:30:07 2017 +0500
+++ b/pop3d.h Mon Jan 09 15:31:05 2017 +0500
@@ -143,7 +143,7 @@
};
/* pop3e.c */
-void pop3_main(int [2], struct passwd *);
+void pop3_main(int [2], struct passwd *, const char *, const char *);
/* session.c */
void session_init(struct listener *, int, const struct sockaddr_storage *);
--- a/pop3e.c Mon Jan 09 15:30:07 2017 +0500
+++ b/pop3e.c Mon Jan 09 15:31:05 2017 +0500
@@ -48,7 +48,7 @@
void *ssl_ctx;
void
-pop3_main(int pair[2], struct passwd *pw)
+pop3_main(int pair[2], struct passwd *pw, const char *cert, const char *key)
{
extern struct session_tree sessions;
struct event ev_sigint, ev_sigterm;
@@ -73,7 +73,7 @@
pop3_listen("pop3");
ssl_init();
- if ((ssl_ctx = ssl_setup()) == NULL)
+ if ((ssl_ctx = ssl_setup(cert, key)) == NULL)
fatal("ssl_setup failed");
pop3_listen("pop3s");
--- a/ssl.c Mon Jan 09 15:30:07 2017 +0500
+++ b/ssl.c Mon Jan 09 15:31:05 2017 +0500
@@ -33,8 +33,6 @@
#define SSL_CIPHERS "HIGH"
#define SSL_SESSION_TIMEOUT 300
-#define CERTFILE "/etc/ssl/server.crt"
-#define KEYFILE "/etc/ssl/private/server.key"
static char *ssl_load_file(const char *, off_t *);
@@ -52,7 +50,7 @@
}
void *
-ssl_setup(void)
+ssl_setup(const char *certfile, const char *keyfile)
{
SSL_CTX *ctx = NULL;
char *cert, *key;
@@ -73,13 +71,13 @@
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
/* SSL certificate, key loading */
- cert = ssl_load_file(CERTFILE, &cert_len);
+ cert = ssl_load_file(certfile, &cert_len);
if (cert == NULL)
- fatal("ssl_load_file: Unable to load " CERTFILE);
+ fatal("ssl_load_file: certificate");
- key = ssl_load_file(KEYFILE, &key_len);
+ key = ssl_load_file(keyfile, &key_len);
if (key == NULL)
- fatal("ssl_load_file: Unable to load " KEYFILE);
+ fatal("ssl_load_file: key");
if (!SSL_CTX_set_cipher_list(ctx, SSL_CIPHERS))
goto err;
--- a/ssl.h Mon Jan 09 15:30:07 2017 +0500
+++ b/ssl.h Mon Jan 09 15:31:05 2017 +0500
@@ -2,7 +2,7 @@
/* ssl.c */
void ssl_init(void);
-void *ssl_setup(void);
+void *ssl_setup(const char *, const char *);
void *pop3s_init(SSL_CTX *, int);
void ssl_error(const char *);