Sam Varshavchik wrote:
Gordon Messmer writes:
2) The TLS_TRUSTCERTS setting isn't present in esmtpd-ssl or
imapd-ssl, though it is in courierd and esmtpd. All of those files
mention the default from the .dist in a comment. I'm not sure how
sysconftool
CA certificates are not required for servers, so it's not required in
the esmtpd file, but I show TLS_TRUSTCERTS being set in both. However,
if you're upgrading from an earlier version, the upgrade process will
not reset your existing TLS_TRUSTCERTS setting in either file, so you
probably inherited your settings from the previous version.
It looks like it preserved the old setting (which was no setting)
because TLS_TRUSTCERTS:0 was left in some files, while it was changed to
TLS_TRUSTCERTS:1 in courierd. Shouldn't that have been modified
globally so that all of the daemons could take advantage of the new
default setting?
decides whether or not to insert a new setting from .dist when it does
upgrades, but this reminds me of something that I've been thinking for
quite a while. sysconftool seems well conceived, but overly complex.
It seems like the same problems could be solved instead by
distributing <config>.dist, and keeping <config> empty of all settings
other than non-defaults.
In that case, the init script would need to be modified so that it
sourced the <config>.dist file first, and then <config>. Settings in
<config> would simply override the <config>.dist settings.
Although that's also a reasonable approach, it's better to keep all
settings documented in a single file, and provide the current setting
right next to its description.
"Better" always depends on the use case. Using sysconftool means that
there could potentially be problems if the default value changes, the
new setting is desirable, but the old value is preserved because the
serial number wasn't updated. That's what I perceive with
TLS_TRUSTCERTS, though *this* setting doesn't really constitute a problem.
sysconftool also tends to munge comments in configuration files.
Anywhere there's a line of '#' characters used as a separator, for
instance, that line and anything in between it and the name of a setting
will be moved into the comment section for the previous section on
upgrade. Take the attached patch for instance. The whole section of
comments describing COURIERTLS and later settings was moved to the
comment section for IMAP_TLS_REQUIRED. Again, it hasn't caused any
operational problems, but it's ugly enough that I often wipe the
configuration out, install a clean copy, and then reapply my local
settings. sysconftool makes for a *lot* of extra work in that case.
Finally, if the local configuration files inherited their settings from
the .dist version, it would be much easier for me to manage Courier with
configuration management tools like bcfg2, puppet, or cfengine. In its
current form, the easiest option is also to take the clean configuration
files and rebuild my configuration template from scratch each time to
avoid missing settings, etc. If they inherited settings and contained
only settings which were changed from the default, I could almost always
trust that configuration files would work as-is after and upgrade.
--- /etc/courier/imapd-ssl.dist 2008-07-21 13:24:50.000000000 -0700
+++ /etc/courier/imapd-ssl 2008-07-21 13:32:24.000000000 -0700
@@ -85,10 +115,12 @@
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
# is issued).
-
-IMAP_TLS_REQUIRED=0
-
-
+#
+# DEFAULT SETTING from /etc/courier/imapd-ssl.dist:
+#
+#IMAP_TLS_REQUIRED=0
+#
+#
#########################################################################
#
# The following variables configure IMAP over SSL. If OpenSSL or GnuTLS
@@ -99,8 +131,17 @@
# at your own risk. Only the basic SSL/TLS functionality is known to be
# working. Keep this in mind as you play with the following variables.
#
+
+IMAP_TLS_REQUIRED=0
+
+
##NAME: COURIERTLS:0
#
+#
+# DEFAULT SETTING from /etc/courier/imapd-ssl.dist:
+#
+#COURIERTLS=/usr/lib/courier/bin/couriertls
+#
COURIERTLS=/usr/lib/courier/bin/couriertls
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
