##VERSION: $Id: courierd.dist.in 197 2012-04-22 14:11:29Z mrsam $
#
# courierd created from courierd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 1998 - 2011 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various global options for Courier.
#  The contents of this file is turned into courierd's environment by
#  the courierctl.start script.

##NAME: prefixes:0
#

prefix="/usr"
exec_prefix="/usr"

##NAME: SYSLOCALE:0
#
# Define the default system locale.
#
# Put whatever's needed here to load the default system locale into a completely
# empty environment.
#
# Example (for Fedora/CentOs):
#
#   . /etc/sysconfig/i18n
#
# Alternatively, manually set the necessary environment variable directly:
#
#   LANG=en_US.utf-8
#

. /etc/environment

##NAME: PATH:0
#
#
#  Specify the default PATH that everything inherits -- including commands
#  executed from individual .courier files

PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin

##NAME: SHELL:0
#
#  The default shell

SHELL=/bin/bash

##NAME: DSNNOTIFY:0
#
#  If you would like to suppress all bounces for mail forwarded via an
#  individual .courier file, uncomment the following:
#
# DSNNOTIFY=N

##NAME: DSNTOAUTHADDR:0
#
#  If DSNTOAUTHADDR=1 and the ESMTP client authenticates, bounces will be
#  sent to the authenticated address, and not the return address the sender
#  provided.  This will work only if:
#
#  * The authenticated address is a full <user@domain> address.
#
#  * The authenticated address does not contain 8bit chars!
#
#  Enabling the DSNTOAUTHADDR=1 setting helps prevent abusive backscatter
#  originating from local users.  Turn it off if you want to.

DSNTOAUTHADDR=0

##NAME: DYNAMICDELIVERIES:0
#
#  If you would like to disable the ability to generate dynamic delivery
#  instructions, set the following variable to 0.  See dot-courier(5)
#  for more information.

DYNAMICDELIVERIES=1

########################################################################
#
##NAME: DEFAULTDELIVERY:0
#
#  Specify default delivery instructions by setting DEFAULTDELIVERY
#  One of the following definitions of DEFAULTDELIVERY should be
#  uncommented.
#
#  Default deliveries to $HOME/Maildir
#
#  DEFAULTDELIVERY=./Maildir
#
#  Alternatively, use procmail to deliver mail to local mailboxes.
#
#  DEFAULTDELIVERY="| /usr/bin/preline /usr/bin/procmail"
#
#  Here's how to have maildrop handle local deliveries.
#
#  DEFAULTDELIVERY="| /usr/bin/maildrop"
#
#  If you want to automatically enable .forward support globally,
#  use something like this:
#
#  DEFAULTDELIVERY="|| dotforward
#  ./Maildir"
#
#  Yes, it's two lines long, with an embedded newline.  Of course, you can use
#  any default local mail delivery instruction in place of ./Maildir.

DEFAULTDELIVERY=./Maildir

##NAME: MAILDROPDEFAULT:0
#
#  The following setting initializes the DEFAULT variable in maildrop,
#  the location of the default mailbox.  You should not change this setting
#  unless you REALLY know what you're doing.

MAILDROPDEFAULT=./Maildir

##NAME: ESMTP_CORK:0
#
#  ESMTP_CORK=1 is an extension used with Linux kernel >2.2 that avoids sending
#  partial frames when sending a message via ESMTP.  Set ESMTP_CORK to 0 to
#  disable it (diagnostic option).  In certain situations this option has no
#  effect.  For example, when using SSL the entire channel has an encryption
#  layer around, so courieresmtp is actually talking to a pipe.

ESMTP_CORK=1

##NAME: ESMTP_BLOCKBACKSCATTER:0
#
# Default setting of ESMTP_BLOCKBACKSCATTER drops backscatter bounces.
#
# "Backscatter" is generally defined as a non-delivery notice sent to a
# forged return address.  Since we all know that anyone can use any return
# address on unauthenticated SMTP mail, any bounce message may potentially
# go to a victim of E-mail forgery.
#
# Courier is very good at refusing unwanted mail, and should rarely
# bounce a message after accepting it.  Still, sometimes this can happen,
# usually due to a rejection by a local mail filter.
#
# This is the default setting:
#
# ESMTP_BLOCKBACKSCATTER=smtp/dsn
#
# This setting silently discards a message when all of the following
# conditions are true.
#
# 1) The message is sent via SMTP
# 2) The message is a delivery status notification
# 3) The delivery status notification was in response to a message received
#    via SMTP.
# 4) The original message did not originate from a sender with relaying
#    privileges (not a trusted IP address, no SMTP authentication took place).
#
#
# The following setting does the same thing, except that backscatter from
# senders with relaying privileges is also discarded.
#
# ESMTP_BLOCKBACKSCATTER=smtp/dsn,authsmtp/dsn
#
# To turn off backscatter suppression completely, remove this setting
# altogether.
#
# Do not set this variable to anything else.
#
# Important: if you've configured Courier to enforce mailbox quotas, and
# mailbox overquota is a hard bounce, messages sent to overquota mailboxes
# will be lost!  (This will be fixed, stay tuned).

ESMTP_BLOCKBACKSCATTER=smtp/dsn

##NAME: SOURCE_ADDRESS:0
#
# The SOURCE_ADDRESS and SOURCE_ADDRESS_IPV6 settings have been deprecated and
# replaced by the ipout and ip6out configuration files. See the courier(8)
# man page for more information. These settings will be removed completely in
# a future release.

##NAME: UUXFLAGS:0
#
#  Specify additional flags to uux.  Allowed flags are -g [grade], -j, and
#  -r ONLY.  This environment variable is parsed in a rather simplistic
#  fashion -- it is broken up into space-separate words, and each one is
#  passed to uux together with the mandatory uux flags (namely -p).

UUXFLAGS="-j -g C"

##NAME: ARCHIVEDIR:0
#
#  This is the big-brother option that saves a copy of EACH and EVERY
#  message passing through the system.  Uncomment ARCHIVEDIR, and after
#  a message is delivered, its queue and data file is moved to ARCHIVEDIR
#  instead of being deleted.  You must create the ARCHIVEDIR directory
#  yourself, and it must be owned by the "daemon" userid.
#
#  Also, ARCHIVEDIR *MUST* be on the same partition/volume as Courier's
#  mail queue directory.
#
#  All messages will be saved into a flat directory, with one subdirectory
#  created each calendar day.  Therefore, you will need to make sure that
#  your filesystem can handle it.  Each message consists of two files,
#  the control file, and the message data file.  The Linux ext2 filesystem,
#  for example, will start to have problems once there are more than
#  32,000 files in the same directory, so if your system carries a higher
#  daily volume, you'll need to purge out the archive subdirectory several
#  times a day.
#
#  If you fill up an archive directory, mail will continue to move, but
#  not archived.  Caveat emptor.
#
#  ARCHIVEDIR="/usr/lib/courier/bigbrother"

##NAME: ESMTP_USE_STARTTLS:0
#
# The following variables specify whether or not the ESMTP *client* will use
# SSL when talking to a remote ESMTP server that supports SSL.

ESMTP_USE_STARTTLS=1

##NAME: COURIERTLS:0
#
# For SSL to work, OpenSSL must be available when Courier is compiled, and
# couriertls must be installed here:
#
# If couriertls is not installed, ESMTP_USE_TLS is quietly ignored.

COURIERTLS=/usr/bin/couriertls

##NAME: ESMTP_TLS_VERIFY_DOMAIN:0
#
# The following variables specify SSL/TLS properties for the ESMTP SSL client.
#
# Set ESMTP_TLS_VERIFY_DOMAIN to 1 if we must verify the domain in the remote
# server's certificate.  For this to actually work as intended, you must
# install root authority certificates in the locations specified by CERTINFO
# setting, and set TLS_VERIFYPEER to PEER.  Otherwise, this is meaningless.
#
# This setting must be set to 1 when Courier uses a smarthost that requires
# SMTP SSL certificates for authentication and relaying privileges.

ESMTP_TLS_VERIFY_DOMAIN=0

##NAME: TLS_PROTOCOL:0
# 
# TLS_PROTOCOL sets the protocol version.  The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
# TLS1 - TLS1
#
# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
# setting, below.
#
# GnuTLS:
#
# SSL3   - SSLv3
# TLS1   - TLS 1.0
# TLS1_1 - TLS 1.1
#
# When compiled against GnuTLS, multiple protocols can be selected as follows:
#
# TLS_PROTOCOL="TLS1_1:TLS1:SSL3"
#
# DEFAULT VALUES:
#
# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS)

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
#
#
# GnuTLS:
#
# TLS_CIPHER_LIST="HIGH:MEDIUM"
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
#        is not included
# ALL -- all ciphers except the NULL cipher

##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server
# have been encountered that offer 512 bit keys. You may have to set
# TLS_MIN_DH_BITS=512 here, if necessary.

##NAME: TLS_KX_LIST:0
#
# GnuTLS only:
#
# Allowed key exchange protocols. The default of "ALL" should be sufficient.
# The list of supported key exchange protocols depends on the options GnuTLS
# was compiled against, but may include the following:
#
# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT

TLS_KX_LIST=ALL

##NAME: TLS_COMPRESSION:0
#
# GnuTLS only:
#
# Optional compression. "ALL" selects all available compression methods.
#
# Available compression methods: DEFLATE, LZO, NULL

TLS_COMPRESSION=ALL

##NAME: TLS_CERTS:0
#
# GnuTLS only:
#
# Supported certificate types are X509 and OPENPGP.
#
# OPENPGP has not been tested

TLS_CERTS=X509

##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#

##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
# Use this setting instead of TLS_CERTFILE when using a DH client certificate
# instead of an RSA client certificate.
#
# This setting must be set when Courier uses a smarthost that requires
# SMTP SSL certificates for authentication and relaying privileges.
#
# TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - client SSL certificate
#
# This setting must be set when Courier uses a smarthost that requires
# SMTP SSL certificates for authentication and relaying privileges.
#
# TLS_CERTFILE=


##NAME: TLS_TRUSTCERTS:1
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# Use this setting to define SSL certificate authorities
#
# This setting must be set when Courier uses a smarthost that requires
# SMTP SSL certificates for authentication and relaying privileges.

TLS_TRUSTCERTS=/etc/ssl/certs

##NAME: TLS_TRUSTSECURITYCERTS:0
#
# TLS_TRUSTSECURITYCERTS=pathname - same as TLS_TRUSTCERTS, except that
# these certs are used when the Courier-specific SECURITY extension is
# specified for a given message. ESMTP_USE_STARTTLS must be set to 1,
# above, and this option implies ESMTP_TLS_VERIFY_DOMAIN.
#
# This setting, of course, can be same as TLS_TRUSTCERTS, however it is
# often desirable to use a separate, private, root CA cert in order to
# create private, organization-internal, secure mail delivery channel
# over an untrusted network, that's validated by X.509 certs signed
# by a private root CA.
#
# !!!NOTE!!! this is an experimental, not heavily tested, extension
#
# TLS_TRUSTSECURITYCERTS=

##NAME: TLS_VERIFYPEER:1
#
# TLS_VERIFYPEER - how to verify server certificates.  Possible settings:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
# Most SMTP server certificates on the Internet are self signed, so this
# setting should be left at its default value of "NONE".
#
# This setting must be set to "PEER" when Courier uses a smarthost that requires
# SMTP SSL certificates for authentication and relaying privileges.

TLS_VERIFYPEER=NONE

##NAME: TLS_ERROR_HANDLE:0
#
# The sad reality of SMTP on the Internet is that TLS is broken. Many certs
# are self-signed. Many servers are misconfigured, advertise STARTTLS, but
# barf when they're taken up on this offer.
#
# TLS_ERROR_HANDLE takes the following values:
#
# ignore - attempt a TLS connection, if fails, ignore and proceed sending
# mail without TLS, as long as the connection is still there. Some servers are
# exceptionally broken, and will close the connection. Can't do much there; only
# put them into esmtproutes, with /SECURITY=NONE, so that STARTTLS isn't even
# tried. But, if the peer is still alive, go ahead and proceed without TLS.
#
# soft - attempt a TLS connection, if the host replies with a 5xx error, treat
# it as a soft error, and keep it queued up.
#
# If unset, if this setting is removed, Courier treats TLS connection errors
# as fatal errors, unless the remote host responds with a 4xx error, in which
# case it's a soft error

TLS_ERROR_HANDLE=ignore

##NAME: TLS_ERROR_REPORT
#
# An external hook to report broken TLS hosts.
#
# Use this setting to set up a custom script that gets invoked when encountering
# a server with a broken STARTTLS response:
#
# TLS_ERROR_REPORT="/usr/sbin/another_loser"
#
# The string of TLS_ERROR_REPORT gets passed, verbatim, to your shell for
# execution. The TLS_ERROR_REPORT script can read the following environment
# variables:
#
# ERROR_HOST and ERROR_IP - the broken mail server.
# ERROR_CODE - this environment variable is always set to "STARTTLS", for now.
# ERROR_TEXT - the response from the remote mail server. If it's a multiline
# response, this is just the first line. If the remote mail server closed
# the connection without even the courtesy of telling you to fsck off, this
# will be the literal text "(none)".
#
# Use care in writing the script. Attention should be paid to properly quoting
# any usage of these environment variables, since most of their contents are
# defined by a remote, possibly hostile, party.
#
# This script gets forked off as a child process, and the server continues to
# handle the error code as prescribed by TLS_ERROR_HANDLE, without waiting for
# this script to end. The intended usage of this hook is a quick script that
# logs this somewhere. Do not send mail from here. If you are the loser,
# you've just mailbombed yourself.

