| SSLBUILD | SSLBUILD | |||
|---|---|---|---|---|
| /* ======================================================================== | /* ======================================================================== | |||
| * Copyright 1988-2006 University of Washington | * Copyright 1988-2007 University of Washington | |||
| * | * | |||
| * Licensed under the Apache License, Version 2.0 (the "License"); | * Licensed under the Apache License, Version 2.0 (the "License"); | |||
| * you may not use this file except in compliance with the License. | * you may not use this file except in compliance with the License. | |||
| * You may obtain a copy of the License at | * You may obtain a copy of the License at | |||
| * | * | |||
| * http://www.apache.org/licenses/LICENSE-2.0 | * http://www.apache.org/licenses/LICENSE-2.0 | |||
| * | * | |||
| * | * | |||
| * ======================================================================== | * ======================================================================== | |||
| */ | */ | |||
| SSL/TLS BUILD AND INSTALLATION NOTES FOR UNIX | SSL/TLS BUILD AND INSTALLATION NOTES FOR UNIX | |||
| Last Updated: 20 August 2006 | Last Updated: 15 November 2007 | |||
| PREREQUISITES BEFORE STARTING: | PREREQUISITES BEFORE STARTING: | |||
| 1) Review the information in imap-2006/docs/BUILD. | 1) Review the information in imap-2007/docs/BUILD. | |||
| 2) Obtain a copy of OpenSSL. OpenSSL is available from third parties. We | 2) Obtain a copy of OpenSSL. OpenSSL is available from third parties. We | |||
| do not provide OpenSSL. | do not provide OpenSSL. | |||
| 3) Make sure that you know how to build OpenSSL properly on the standard | 3) Make sure that you know how to build OpenSSL properly on the standard | |||
| /usr/local/ssl directory. In particular, /usr/local/ssl/include (and | /usr/local/ssl directory. In particular, /usr/local/ssl/include (and | |||
| /usr/local/ssl/include/openssl) and /usr/local/ssl/lib must be set up | /usr/local/ssl/include/openssl) and /usr/local/ssl/lib must be set up | |||
| from the OpenSSL build. If you have a non-standard installation, then | from the OpenSSL build. If you have a non-standard installation, then | |||
| you must modify the imap-2006/src/osdep/unix/Makefile file to point | you must modify the imap-2007/src/osdep/unix/Makefile file to point | |||
| to the appropriate locations. | to the appropriate locations. | |||
| 4) Make sure that you know how to obtain appropriate certificates on your | 4) Make sure that you know how to obtain appropriate certificates on your | |||
| system. | system. | |||
| NOTE: We can NOT provide you with support in building/installing OpenSSL, o r | NOTE: We can NOT provide you with support in building/installing OpenSSL, o r | |||
| in obtaining certificates. If you need help in doing this, try the contact s | in obtaining certificates. If you need help in doing this, try the contact s | |||
| mentioned in the OpenSSL README. | mentioned in the OpenSSL README. | |||
| SSL BUILD: | SSL BUILD: | |||
| skipping to change at line 50 | skipping to change at line 50 | |||
| To build with SSL but allow plaintext passwords in insecure sessions, | To build with SSL but allow plaintext passwords in insecure sessions, | |||
| add "SSLTYPE=unix" to the make command line. Note that doing so will | add "SSLTYPE=unix" to the make command line. Note that doing so will | |||
| produce an IMAP server which is NON-COMPLIANT with RFC 3501. | produce an IMAP server which is NON-COMPLIANT with RFC 3501. | |||
| To build without SSL, add "SSLTYPE=none" to the make command line. | To build without SSL, add "SSLTYPE=none" to the make command line. | |||
| Note that doing so will produce an IMAP server which is NON-COMPLIANT | Note that doing so will produce an IMAP server which is NON-COMPLIANT | |||
| with RFC 3501. | with RFC 3501. | |||
| There are other make options relevant to SSL, described in | There are other make options relevant to SSL, described in | |||
| imap-2006/src/osdep/unix/Makefile | imap-2007/src/osdep/unix/Makefile | |||
| The most important of these are SSLDIR, SSLCRYPTO, and SSLRSA. | The most important of these are SSLDIR, SSLCRYPTO, and SSLRSA. | |||
| SSLDIR is set to /usr/local/ssl by default. This is the normal | SSLDIR is set to /usr/local/ssl by default. This is the normal | |||
| installation directory for OpenSSL. If your system uses a different direct ory | installation directory for OpenSSL. If your system uses a different direct ory | |||
| you will need to change this. | you will need to change this. | |||
| SSLCRYPTO is set to -lcrypto by default. Older versions of MIT Kerber os | SSLCRYPTO is set to -lcrypto by default. Older versions of MIT Kerber os | |||
| also have a libcrypto and will cause a library name conflict. If you are | also have a libcrypto and will cause a library name conflict. If you are | |||
| using an older version of Kerberos, you may need to change SSLCRYPTO to | using an older version of Kerberos, you may need to change SSLCRYPTO to | |||
| $(SSLLIB)/libcrypto.a | $(SSLLIB)/libcrypto.a | |||
| SSLRSA is set empty by default. It can be set to specify the RSAREF | SSLRSA is set empty by default. It can be set to specify the RSAREF | |||
| libraries, which you once had to use with OpenSSL to use RSA algorithms | libraries, which you once had to use with OpenSSL to use RSA algorithms | |||
| legally if you are in the USA, due to patent issues. Since RSA Security In c. | legally if you are in the USA, due to patent issues. Since RSA Security In c. | |||
| released the RSA algorithm into the public domain on September 6, 2000, the re | released the RSA algorithm into the public domain on September 6, 2000, the re | |||
| is no longer any reason to do this. | is no longer any reason to do this. | |||
| SSL INSTALLATION: | SSL INSTALLATION: | |||
| Binaries from the build are: | Binaries from the build are: | |||
| imap-2006/mtest/mtest c-client testbed program | imap-2007/mtest/mtest c-client testbed program | |||
| imap-2006/ipopd/ipop2d POP2 daemon | imap-2007/ipopd/ipop2d POP2 daemon | |||
| imap-2006/ipopd/ipop3d POP3 daemon | imap-2007/ipopd/ipop3d POP3 daemon | |||
| imap-2006/imapd/imapd IMAP4rev1 daemon | imap-2007/imapd/imapd IMAP4rev1 daemon | |||
| mtest is normally not used except by c-client developers. | mtest is normally not used except by c-client developers. | |||
| STEP 1: inetd setup | STEP 1: inetd setup | |||
| The ipop2d, ipop3d, and imapd daemons should be installed in a system | The ipop2d, ipop3d, and imapd daemons should be installed in a system | |||
| daemon directory and invoked by a listener such as xinetd or inetd. In the | daemon directory and invoked by a listener such as xinetd or inetd. In the | |||
| following examples, /usr/local/etc is used). | following examples, /usr/local/etc is used). | |||
| STEP 1(A): xinetd-specific setup | STEP 1(A): xinetd-specific setup | |||
| skipping to change at line 114 | skipping to change at line 114 | |||
| If your system still uses inetd, the daemons are invoked by your | If your system still uses inetd, the daemons are invoked by your | |||
| /etc/inetd.conf file with lines such as: | /etc/inetd.conf file with lines such as: | |||
| pop stream tcp nowait root /usr/local/etc/ipop2d ipop2d | pop stream tcp nowait root /usr/local/etc/ipop2d ipop2d | |||
| pop3 stream tcp nowait root /usr/local/etc/ipop3d ipop3d | pop3 stream tcp nowait root /usr/local/etc/ipop3d ipop3d | |||
| imap stream tcp nowait root /usr/local/etc/imapd imapd | imap stream tcp nowait root /usr/local/etc/imapd imapd | |||
| pop3s stream tcp nowait root /usr/local/etc/ipop3d ipop3d | pop3s stream tcp nowait root /usr/local/etc/ipop3d ipop3d | |||
| imaps stream tcp nowait root /usr/local/etc/imapd imapd | imaps stream tcp nowait root /usr/local/etc/imapd imapd | |||
| Please refer to imap-2006/docs/BUILD for an important note about inetd 's | Please refer to imap-2007/docs/BUILD for an important note about inetd 's | |||
| limit on the number of new connections. If that note applies to you, and y ou | limit on the number of new connections. If that note applies to you, and y ou | |||
| can configure the number of connection in /etc/inetd.conf as described in | can configure the number of connection in /etc/inetd.conf as described in | |||
| imap-2006/docs/build, here is the sample /etc/inetd.conf entry with SSL: | imap-2007/docs/build, here is the sample /etc/inetd.conf entry with SSL: | |||
| pop3 stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | pop3 stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | |||
| pop3s stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | pop3s stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | |||
| imap stream tcp nowait.100 root /usr/local/etc/imapd imap d | imap stream tcp nowait.100 root /usr/local/etc/imapd imap d | |||
| imaps stream tcp nowait.100 root /usr/local/etc/imapd imap d | imaps stream tcp nowait.100 root /usr/local/etc/imapd imap d | |||
| (or, if you use TCP wrappers) | (or, if you use TCP wrappers) | |||
| pop3 stream tcp nowait.100 root /usr/local/etc/tcpd ipop 3d | pop3 stream tcp nowait.100 root /usr/local/etc/tcpd ipop 3d | |||
| imap stream tcp nowait.100 root /usr/local/etc/tcpd imap d | imap stream tcp nowait.100 root /usr/local/etc/tcpd imap d | |||
| pop3s stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | pop3s stream tcp nowait.100 root /usr/local/etc/ipop3d ipop 3d | |||
| imaps stream tcp nowait.100 root /usr/local/etc/imapd imap d | imaps stream tcp nowait.100 root /usr/local/etc/imapd imap d | |||
| End of changes. 8 change blocks. | ||||
| 11 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||