##VERSION: $Id: courierd.dist.in,v 1.16 2005/12/13 03:00:54 mrsam Exp $
#
# courierd created from courierd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 1998 - 2001 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various global options for Courier.
#  The contents of this file is turned into courierd's environment by
#  the courierctl.start script.

##NAME: prefixes:0
#

prefix="/usr"
exec_prefix="/usr"

##NAME: PATH:0
#
#
#  Specify the default PATH that everything inherits -- including commands
#  executed from individual .courier files

PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin

##NAME: SHELL:0
#
#  The default shell

SHELL=/bin/sh

##NAME: DSNNOTIFY:0
#
#  If you would like to suppress all bounces for mail forwarded via an
#  individual .courier file, uncomment the following:
#
# DSNNOTIFY=N

##NAME: DSNTOAUTHADDR:0
#
#  If DSNTOAUTHADDR=1 and the ESMTP client authenticates, bounces will be
#  sent to the authenticated address, and not the return address the sender
#  provided.  This will work only if:
#
#  * The authenticated address is a full <user@domain> address.
#
#  * The authenticated address does not contain 8bit chars!
#
#  Enabling the DSNTOAUTHADDR=1 setting helps prevent abusive backscatter
#  originating from local users.  Turn it off if you want to.

DSNTOAUTHADDR=0

##NAME: DYNAMICDELIVERIES:0
#
#  If you would like to disable the ability to generate dynamic delivery
#  instructions, set the following variable to 0.  See dot-courier(5)
#  for more information.

DYNAMICDELIVERIES=1

########################################################################
#
##NAME: DEFAULTDELIVERY:0
#
#  Specify default delivery instructions by setting DEFAULTDELIVERY
#  One of the following definitions of DEFAULTDELIVERY should be
#  uncommented.
#
#  Default deliveries to $HOME/Maildir
#
#  DEFAULTDELIVERY=./Maildir
#
#  Alternatively, use procmail to deliver mail to local mailboxes.
#
#  DEFAULTDELIVERY="| /usr/bin/preline /usr/bin/procmail"
#
#  Here's how to have maildrop handle local deliveries.
#
#  DEFAULTDELIVERY="| /usr/bin/maildrop"
#
#  If you want to automatically enable .forward support globally,
#  use something like this:
#
#  DEFAULTDELIVERY="|| dotforward
#  ./Maildir"
#
#  Yes, it's two lines long, with an embedded newline.  Of course, you can use
#  any default local mail delivery instruction in place of ./Maildir.

DEFAULTDELIVERY=./Maildir

##NAME: MAILDROPDEFAULT:0
#
#  The following setting initializes the DEFAULT variable in maildrop,
#  the location of the default mailbox.  You should not change this setting
#  unless you REALLY know what you're doing.

MAILDROPDEFAULT=./Maildir

##NAME: ESMTP_CORK:0
#
#  ESMTP_CORK=1 is an extension used with Linux kernel >2.2 that avoids sending
#  partial frames when sending a message via ESMTP.  Set ESMTP_CORK to 0 to
#  disable it (diagnostic option).  In certain situations this option has no
#  effect.  For example, when using SSL the entire channel has an encryption
#  layer around, so courieresmtp is actually talking to a pipe.

ESMTP_CORK=1

##NAME: ESMTP_BLOCKBACKSCATTER:0
#
# Default setting of ESMTP_BLOCKBACKSCATTER drops backscatter bounces.
#
# "Backscatter" is generally defined as a non-delivery notice sent to a
# forged return address.  Since we all know that anyone can use any return
# address on unauthenticated SMTP mail, any bounce message may potentially
# go to a victim of E-mail forgery.
#
# Courier is very good at refusing unwanted mail, and should rarely
# bounce a message after accepting it.  Still, sometimes this can happen,
# usually due to a rejection by a local mail filter.
#
# This is the default setting:
#
# ESMTP_BLOCKBACKSCATTER=smtp/dsn
#
# This setting silently discards a message when all of the following
# conditions are true.
#
# 1) The message is sent via SMTP
# 2) The message is a delivery status notification
# 3) The delivery status notification was in response to a message received
#    via SMTP.
# 4) The original message did not originate from a sender with relaying
#    privileges (not a trusted IP address, no SMTP authentication took place).
#
#
# The following setting does the same thing, except that backscatter from
# senders with relaying privileges is also discarded.
#
# ESMTP_BLOCKBACKSCATTER=smtp/dsn,authsmtp/dsn
#
# To turn off backscatter completely, remove this setting altogether.
#
# Do not set this variable to anything else.
#
# Important: if you've configured Courier to enforce mailbox quotas, and
# mailbox overquota is a hard bounce, messages sent to overquota mailboxes
# will be lost!  (This will be fixed, stay tuned).

ESMTP_BLOCKBACKSCATTER=smtp/dsn

##NAME: SOURCE_ADDRESS:0
#
#  Specify the source IP address to be used when making ESMTP connections
#  outbound to deliver mail. If this value is not specified or "0", the
#  kernel will assign the source IP address.
#
#  SOURCE_ADDRESS=127.0.0.1

##NAME: UUXFLAGS:0
#
#  Specify additional flags to uux.  Allowed flags are -g [grade], -j, and
#  -r ONLY.  This environment variable is parsed in a rather simplistic
#  fashion -- it is broken up into space-separate words, and each one is
#  passed to uux together with the mandatory uux flags (namely -p).

UUXFLAGS="-j -g C"

##NAME: ARCHIVEDIR:0
#
#  This is the big-brother option that saves a copy of EACH and EVERY
#  message passing through the system.  Uncomment ARCHIVEDIR, and after
#  a message is delivered, its queue and data file is moved to ARCHIVEDIR
#  instead of being deleted.  You must create the ARCHIVEDIR directory
#  yourself, and it must be owned by the "daemon" userid.
#
#  Also, ARCHIVEDIR *MUST* be on the same partition/volume as Courier's
#  mail queue directory.
#
#  All messages will be saved into a flat directory, with one subdirectory
#  created each calendar day.  Therefore, you will need to make sure that
#  your filesystem can handle it.  Each message consists of two files,
#  the control file, and the message data file.  The Linux ext2 filesystem,
#  for example, will start to have problems once there are more than
#  32,000 files in the same directory, so if your system carries a higher
#  daily volume, you'll need to purge out the archive subdirectory several
#  times a day.
#
#  If you fill up an archive directory, mail will continue to move, but
#  not archived.  Caveat emptor.
#
#  ARCHIVEDIR="/usr/lib/courier/bigbrother"

##NAME: ESMTP_USE_STARTTLS:0
#
# The following variables specify whether or not the ESMTP *client* will use
# SSL when talking to a remote ESMTP server that supports SSL.

ESMTP_USE_STARTTLS=1

##NAME: LC_ALL:0
#
# Reset the locale to make sure there are no unexpected surprises

LC_ALL=C

##NAME: COURIERTLS:0
#
# For SSL to work, OpenSSL must be available when Courier is compiled, and
# couriertls must be installed here:
#
# If couriertls is not installed, ESMTP_USE_TLS is quietly ignored.

COURIERTLS=/usr/bin/couriertls

##NAME: ESMTP_TLS_VERIFY_DOMAIN:0
#
# The following variables specify SSL/TLS properties for the ESMTP SSL client.
#
# Set ESMTP_TLS_VERIFY_DOMAIN to 1 if we must verify the domain in the remote
# server's certificate.  For this to actually work as intended, you must
# install root authority certificates in the locations specified by CERTINFO
# setting, and set TLS_VERIFYPEER to PEER.  Otherwise, this is meaningless.

ESMTP_TLS_VERIFY_DOMAIN=0

##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version.  The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1

TLS_PROTOCOL=SSL3

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.

##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used.  In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
# TLS_CERTFILE=


##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
# We install a default set of root certificates in /usr/lib/courier/rootcerts

TLS_TRUSTCERTS=/usr/lib/courier/rootcerts

##NAME: TLS_TRUSTSECURITYCERTS:0
#
# TLS_TRUSTSECURITYCERTS=pathname - same as TLS_TRUSTCERTS, except that
# these certs are used when the Courier-specific SECURITY extension is
# specified for a given message. ESMTP_USE_STARTTLS must be set to 1,
# above, and this option implies ESMTP_TLS_VERIFY_DOMAIN.
#
# This setting, of course, can be same as TLS_TRUSTCERTS, however it is
# often desirable to use a separate, private, root CA cert in order to
# create private, organization-internal, secure mail delivery channel
# over an untrusted network, that's validated by X.509 certs signed
# by a private root CA.
#
# !!!NOTE!!! this is an experimental, not heavily tested, extension
#
# TLS_TRUSTSECURITYCERTS=

##NAME: TLS_VERIFYPEER:1
#
# TLS_VERIFYPEER - how to verify server certificates.  This value should
# be kept at its default value of NONE unless you want to enable peer
# certificate verification.
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented

TLS_VERIFYPEER=NONE
