Rewrite TLS support

The new implementation allows for per-server certificates.

* libmu_auth/Makefile.am: Build tls support depending on the value of
MU_COND_GNUTLS.
* libmu_auth/notls.c: New file.
* libmu_auth/tls.c: Rewrite.
* libmu_auth/tlsiostr.c: New file.
* libmu_auth/tlsvar.c: New file.
* libmu_auth/tlsconf.c: New file.

* include/mailutils/sys/tls-stream.h (_mu_tls_stream): New members:
session_type, conf, cred.
(mu_tls_io_stream_create): New proto.
* include/mailutils/tls.h (mu_tls_module_config): Remove definition.
(mu_tls_config): New structure.
(mu_tls_server_stream_create): Remove proto.
(mu_tls_cert_file_checks)
(mu_tls_key_file_checksr)
(mu_tls_ca_file_checks): New globals
(MU_TLS_CERT_FILE_CHECKS)
(MU_TLS_KEY_FILE_CHECKS)
(MU_TLS_CA_FILE_CHECKS): New defines.
(mu_tls_stream_create): New proto.
(mu_tls_config_status): New constants.
(mu_tls_check_config): Remove.
(mu_tls_config_check): New function.

* include/mailutils/server.h (mu_m_server_preflight_fp): New typedef.
(mu_m_server_set_preflight): New proto.

* libmailutils/diag/debcat (tls): New category.
* libmailutils/server/ipsrv.c (mu_ip_server_get_data): New function.
* libmailutils/server/msrv.c (_mu_m_server) <preflight>: New method.
(mu_m_server_set_preflight): New function.
(mu_m_server_destroy): Destroy the srvlist.
(open_connection): New function.
(mu_m_server_run): Remove from srvlist only those servers that failed
to open.  Run preflight check, if registered.

* include/mailutils/cfg.h (mu_cfg_section): New member: data.
* libmailutils/cfg/driver.c (dup_container): Copy the "data" pointer.
(mu_cfg_section_add_params): Preserve original pointer and offset when
necessary.
* libmailutils/cfg/parser.y (_scan_tree_helper): Use the section data
pointer (if set) as data target.

* configure.ac (MU_COND_GNUTLS): New conditional.
* imap4d/commands.c: Remove #ifdef WITH_TLS preprocessor conditional.
* imap4d/imap4d.c (tls_mode): Remove variable.
(imap4d_srv_config): Move definition to the header file.
Remove #ifdef WITH_TLS preprocessor conditionals.
Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(imap4d_mainloop): Change signature: take a pointer to the
struct imap4d_srv_config as the 3rd argument,
Use the cfg->tls_mode member to decide on TLS state.
(main): Call mu_tls_cfg_init.
Install server preflight checker.
* imap4d/imap4d.h: Remove #ifdef WITH_TLS preprocessor conditionals.
(imap4d_srv_config): Moved from imap4d.c
New member: tls_conf
(imap4d_session): New member: tls_conf
(global_tls_conf): New global.
(io_setio, imap4d_init_tls_server): Change prototypes.
* imap4d/io.c (io_setio): Change signature: take a pointer to the
struct mu_tls_config as the 3rd argument.
Rewrite TLS support.
(imap4d_init_tls_server): Take a pointer to the
struct mu_tls_config.
* imap4d/starttls.c (tls_available, tls_done): Remove globals.
(global_tls_conf): New global.
(imap4d_starttls): Keep TLS state in the session.
(tls_encryption_on): Likewise.
(starttls_init): Rewrite as a mserver preflight check function.

* pop3d/capa.c: Remove #ifdef WITH_TLS preprocessor conditional.
(capa_stls): Rewrite.
* pop3d/cmd.c (global_tls_conf): New global.
(stls_preflight): New function.
(pop3d_error_string): Rewrite using char ** array.
* pop3d/extra.c (pop3d_setio): Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(pop3d_init_tls_server): Take a pointer to struct mu_tls_config.
* pop3d/pop3d.c: Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(pop3d_mainloop) Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(main): Call mu_tls_cfg_init. Install server preflight check.
* pop3d/pop3d.h (pop3d_session): New member tls_conf.
(pop3d_srv_config): New definition.
(global_tls_conf): New extern.
* pop3d/stls.c: Rewrite TLS support.

* NEWS: Document new features.
* configure.ac: Version 3.2.90.
* doc/texinfo/programs.texi: Update.

6 files changed, 209 insertions, 195 deletions

diff --git a/pop3d/capa.c b/pop3d/capa.c
index bdba7d4ed..0011750d6 100644
--- a/pop3d/capa.c
+++ b/pop3d/capa.c
@@ -104,17 +104,20 @@ capa_implementation (const char *name, struct pop3d_session *session)
     pop3d_outf ("%s %s\n", name, PACKAGE_STRING);
 }
 
-#ifdef WITH_TLS
 static void
 capa_stls (const char *name, struct pop3d_session *session)
 {
-  if ((session->tls == tls_ondemand || session->tls == tls_required)
-      && tls_available && tls_done == 0)
-    pop3d_outf ("%s\n", name);
+  switch (session->tls_mode)
+    {
+    case tls_ondemand:
+    case tls_required:
+      pop3d_outf ("%s\n", name);
+      break;
+      
+    default:
+      break;
+    }
 }
-#else
-# define capa_stls NULL
-#endif /* WITH_TLS */
 
 static void
 capa_user (const char *name, struct pop3d_session *session)
diff --git a/pop3d/cmd.c b/pop3d/cmd.c
index 16ceeb8ed..5983e0bb7 100644
--- a/pop3d/cmd.c
+++ b/pop3d/cmd.c
@@ -16,13 +16,12 @@
 
 #include "pop3d.h"
 
+struct mu_tls_config global_tls_conf;
+
 static struct pop3d_command command_table[] = {
-#ifdef WITH_TLS
   { "STLS", pop3d_stls },
-# define COMMAND_TABLE_HEAD 1
-#else
-# define COMMAND_TABLE_HEAD 0
-#endif
+#define COMMAND_TABLE_STLS 0
+#define COMMAND_TABLE_PLAIN 1
   { "RETR", pop3d_retr },
   { "DELE", pop3d_dele },
   { "USER", pop3d_user },
@@ -39,8 +38,7 @@ static struct pop3d_command command_table[] = {
   { NULL }
 };
 
-static struct pop3d_command *command_table_head =
-         command_table + COMMAND_TABLE_HEAD;
+static struct pop3d_command *command_table_head;
 
 pop3d_command_handler_t
 pop3d_find_command (const char *name)
@@ -54,57 +52,130 @@ pop3d_find_command (const char *name)
   return p->handler;
 }
 
-#ifdef WITH_TLS
-void
-enable_stls ()
+int
+stls_preflight (mu_m_server_t msrv)
 {
-  command_table_head = command_table;
-}
-#endif
+  mu_list_t srvlist;
+  mu_iterator_t itr;
+  int errors = 0;
+  int tls_ok = mu_init_tls_libs ();
+  int tls_requested = 0;
+  int global_conf_status = 0;
 
-struct error_table
-{
-  int code;
-  const char *text;
-};
+  if (global_tls_conf.cert_file)
+    global_conf_status = mu_tls_config_check (&global_tls_conf, 1);
+  else
+    global_conf_status = MU_TLS_CONFIG_NULL;
+  
+  mu_m_server_get_srvlist (msrv, &srvlist);
+  mu_list_get_iterator (srvlist, &itr);
+  for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr))
+    {
+      mu_ip_server_t ipsrv;
+      struct pop3d_srv_config *cfg;
+      mu_iterator_current (itr, (void**) &ipsrv);
+      cfg = mu_ip_server_get_data (ipsrv);
+      switch (cfg->tls_mode)
+	{
+	case tls_unspecified:
+	  if (cfg->tls_conf.cert_file)
+	    {
+	      cfg->tls_mode = tls_ondemand;
+	      break;
+	    }
+	  else
+	    cfg->tls_mode = tls_no;
+	  /* fall through */
+	case tls_no:
+	  continue;
+	  
+	default:
+	  break;
+	}
+
+      switch (mu_tls_config_check (&cfg->tls_conf, 1))
+	{
+	case MU_TLS_CONFIG_OK:
+	  if (!cfg->tls_conf.cert_file)
+	    {
+	      mu_error (_("server %s: no certificate set"),
+			mu_ip_server_addrstr (ipsrv));
+	      errors = 1;
+	    }
+	  break;
+	  
+	case MU_TLS_CONFIG_NULL:
+	  if (global_conf_status != MU_TLS_CONFIG_NULL)
+	    {
+	      cfg->tls_conf = global_tls_conf;
+	    }
+	  else
+	    {
+	      mu_error (_("server %s: no certificate set"),
+			mu_ip_server_addrstr (ipsrv));
+	      errors = 1;
+	    }
+	  break;
+
+	default:
+	  mu_error (_("server %s: TLS configuration failed"),
+		    mu_ip_server_addrstr (ipsrv));
+	  errors = 1;
+	}
+      
+      tls_requested = 1;
+    }
+  mu_iterator_destroy (&itr);
+
+  if (tls_requested && !tls_ok)
+    {
+      mu_error (_("TLS is not configured, but requested in the "
+		  "configuration"));
+      errors = 1;
+    }
+  
+  if (errors)
+    return 1;
+
+  if (tls_requested)
+    command_table_head = command_table + COMMAND_TABLE_STLS;
+  else
+    command_table_head = command_table + COMMAND_TABLE_PLAIN;
+  
+  return 0;
+}
 
-static struct error_table error_table[] = {
-  { ERR_WRONG_STATE, "Incorrect state" },
-  { ERR_BAD_ARGS, "Invalid arguments" },
-  { ERR_BAD_LOGIN, "[AUTH] Bad login" },
-  { ERR_NO_MESG, "No such message" },
-  { ERR_MESG_DELE, "Message has been deleted" },
-  { ERR_NOT_IMPL, "Not implemented" },
-  { ERR_BAD_CMD, "Invalid command" },
-  { ERR_MBOX_LOCK, "[IN-USE] Mailbox in use" },
-  { ERR_TOO_LONG, "Argument too long" },
-  { ERR_NO_MEM, "Out of memory, quitting" },
-  { ERR_SIGNAL, "Quitting on signal" },
-  { ERR_FILE, "Some deleted messages not removed" },
-  { ERR_NO_IFILE, "No input stream" },
-  { ERR_NO_OFILE, "No output stream" },
-  { ERR_IO, "I/O error" },
-  { ERR_PROTO, "Remote protocol error" },
-  { ERR_TIMEOUT, "Session timed out" },
-  { ERR_UNKNOWN, "Unknown error" },
-  { ERR_MBOX_SYNC, "Mailbox was updated by other process" },
-#ifdef WITH_TLS
-  { ERR_TLS_ACTIVE, "Command not permitted when TLS active" },
-#endif /* WITH_TLS */
-  { ERR_TLS_IO, "TLS I/O error" },
-  { ERR_LOGIN_DELAY,
-    "[LOGIN-DELAY] Attempt to log in within the minimum login delay interval" },
-  { ERR_TERMINATE, "Terminating on request" },
-  { ERR_SYS_LOGIN, "[SYS/PERM] Cannot authenticate" },
-  { 0 }
+static char *error_table[] = {
+  [ERR_WRONG_STATE] =   "Incorrect state",
+  [ERR_BAD_ARGS]    =   "Invalid arguments",
+  [ERR_BAD_LOGIN]   =   "[AUTH] Bad login",
+  [ERR_NO_MESG]     =   "No such message",
+  [ERR_MESG_DELE]   =   "Message has been deleted",
+  [ERR_NOT_IMPL]    =   "Not implemented",
+  [ERR_BAD_CMD]     =   "Invalid command",
+  [ERR_MBOX_LOCK]   =   "[IN-USE] Mailbox in use",
+  [ERR_TOO_LONG]    =   "Argument too long",
+  [ERR_NO_MEM]      =   "Out of memory] =quitting",
+  [ERR_SIGNAL]      =   "Quitting on signal",
+  [ERR_FILE]        =   "Some deleted messages not removed",
+  [ERR_NO_IFILE]    =   "No input stream",
+  [ERR_NO_OFILE]    =   "No output stream",
+  [ERR_IO]          =   "I/O error",
+  [ERR_PROTO]       =   "Remote protocol error",
+  [ERR_TIMEOUT]     =   "Session timed out",
+  [ERR_UNKNOWN]     =   "Unknown error",
+  [ERR_MBOX_SYNC]   =   "Mailbox was updated by other process",
+  [ERR_TLS_IO]      =   "TLS I/O error",
+  [ERR_LOGIN_DELAY] =
+    "[LOGIN-DELAY] Attempt to log in within the minimum login delay interval",
+  [ERR_TERMINATE]   =   "Terminating on request",
+  [ERR_SYS_LOGIN]   =   "[SYS/PERM] Cannot authenticate",
 };
 
 const char *
 pop3d_error_string (int code)
 {
-  struct error_table *ep;
-  for (ep = error_table; ep->code != 0; ep++)
-    if (ep->code == code)
-      return ep->text;
+  if (code >= 0 && code < MU_ARRAY_SIZE (error_table) && error_table[code])
+    return error_table[code];
   return "unknown error";
 }
diff --git a/pop3d/extra.c b/pop3d/extra.c
index a6fdfcd33..3dc08efea 100644
--- a/pop3d/extra.c
+++ b/pop3d/extra.c
@@ -158,7 +158,7 @@ log_cipher (mu_stream_t stream)
 }
 
 void
-pop3d_setio (int ifd, int ofd, int tls)
+pop3d_setio (int ifd, int ofd, struct mu_tls_config *tls_conf)
 {
   mu_stream_t str, istream, ostream;
   
@@ -175,10 +175,12 @@ pop3d_setio (int ifd, int ofd, int tls)
     pop3d_abquit (ERR_NO_OFILE);
 
   /* Combine the two streams into an I/O one. */
-#ifdef WITH_TLS
-  if (tls)
+  if (tls_conf)
     {
-      int rc = mu_tls_server_stream_create (&str, istream, ostream, 0);
+      int rc = mu_tls_stream_create (&str, istream, ostream,
+				     tls_conf,
+				     MU_TLS_SERVER,
+				     0);
       if (rc)
 	{
 	  mu_stream_unref (istream);
@@ -186,12 +188,9 @@ pop3d_setio (int ifd, int ofd, int tls)
 	  mu_error (_("failed to create TLS stream: %s"), mu_strerror (rc));
 	  pop3d_abquit (ERR_FILE);
 	}
-      tls_done = 1;
       log_cipher (str);
     }
-  else
-#endif
-  if (mu_iostream_create (&str, istream, ostream))
+  else if (mu_iostream_create (&str, istream, ostream))
     pop3d_abquit (ERR_FILE);
 
   /* Convert all writes to CRLF form.
@@ -228,9 +227,8 @@ pop3d_setio (int ifd, int ofd, int tls)
     }
 }
 
-#ifdef WITH_TLS
 int
-pop3d_init_tls_server ()
+pop3d_init_tls_server (struct mu_tls_config *tls_conf)
 {
   mu_stream_t tlsstream, stream[2];
   int rc;
@@ -243,7 +241,10 @@ pop3d_init_tls_server ()
       return 1;
     }
   
-  rc = mu_tls_server_stream_create (&tlsstream, stream[0], stream[1], 0);
+  rc = mu_tls_stream_create (&tlsstream, stream[0], stream[1],
+			     tls_conf,
+			     MU_TLS_SERVER,
+			     0);
   mu_stream_unref (stream[0]);
   mu_stream_unref (stream[1]);
   if (rc)
@@ -263,7 +264,6 @@ pop3d_init_tls_server ()
     }
   return 0;
 }
-#endif
 
 void
 pop3d_bye ()
diff --git a/pop3d/pop3d.c b/pop3d/pop3d.c
index 78eb51eaf..133024520 100644
--- a/pop3d/pop3d.c
+++ b/pop3d/pop3d.c
@@ -37,15 +37,6 @@ int apop_database_safety = MU_FILE_SAFETY_ALL;
 uid_t apop_database_owner;
 int apop_database_owner_set;
 
-enum tls_mode tls_mode;
-
-#ifdef WITH_TLS
-int tls_available;
-int tls_done;
-#else
-# define tls_available 0
-#endif /* WITH_TLS */
-
 int initial_state = AUTHORIZATION; 
 
 /* Should all the messages be undeleted on startup */
@@ -169,13 +160,6 @@ cb_bulletin_db (void *data, mu_config_value_t *val)
 }
 #endif
 
-struct pop3d_srv_config
-{
-  struct mu_srv_config m_cfg;
-  enum tls_mode tls_mode;
-};
-
-#ifdef WITH_TLS
 static int
 cb_tls (void *data, mu_config_value_t *val)
 {
@@ -205,39 +189,14 @@ cb_tls (void *data, mu_config_value_t *val)
   return 0;
 }
 
-static int
-cb_tls_required (void *data, mu_config_value_t *val)
-{
-  int bv;
-  
-  if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
-    return 1;
-  if (mu_str_to_c (val->v.string, mu_c_bool, &bv, NULL))
-    mu_error (_("Not a boolean value"));
-  else if (bv)
-    {
-      tls_mode = tls_required;
-      mu_diag_output (MU_DIAG_WARNING,
-		      "the \"tls-required\" statement is deprecated, "
-		      "use \"tls required\" instead");
-    }
-  else
-    mu_diag_output (MU_DIAG_WARNING,
-		    "the \"tls-required\" statement is deprecated, "
-		    "use \"tls\" instead");
-
-  return 0;
-}
-#endif
-
 static struct mu_cfg_param pop3d_srv_param[] = {
-#ifdef WITH_TLS
-  { "tls", mu_cfg_callback,
+  { "tls-mode", mu_cfg_callback,
     NULL, mu_offsetof (struct pop3d_srv_config, tls_mode), cb_tls,
     N_("Kind of TLS encryption to use for this server"),
     /* TRANSLATORS: words to the right of : are keywords - do not translate */
     N_("arg: false|true|ondemand|stls|requred|connection") },
-#endif
+  { "tls", mu_cfg_section,
+    NULL, mu_offsetof (struct pop3d_srv_config, tls_conf) },
   { NULL }
 };
     
@@ -272,16 +231,8 @@ static struct mu_cfg_param pop3d_cfg_param[] = {
        "  awrdir        forbid files in world writable directories\n"),
     N_("arg: list") },  
     
-#ifdef WITH_TLS
-  { "tls", mu_cfg_callback, &tls_mode, 0, cb_tls,
-    N_("Kind of TLS encryption to use"),
-    /* TRANSLATORS: words to the right of : are keywords - do not translate */
-    N_("arg: false|true|ondemand|stls|requred|connection") },
-  { "tls-required", mu_cfg_callback, &tls_mode, 0, cb_tls_required,
-    N_("Always require STLS before entering authentication phase.\n"
-       "Deprecated, use \"tls required\" instead."),
-    N_("arg: bool") },
-#endif
+  { "tls", mu_cfg_section, &global_tls_conf },
+  
 #ifdef ENABLE_LOGIN_DELAY
   { "login-delay", mu_c_time, &login_delay, 0, NULL,
     N_("Set the minimal allowed delay between two successive logins.") },
@@ -355,7 +306,7 @@ pop3d_get_client_address (int fd, struct sockaddr_in *pcs)
       ofd       --  output descriptor
       tls       --  initiate encrypted connection */
 int
-pop3d_mainloop (int ifd, int ofd, enum tls_mode tls)
+pop3d_mainloop (int ifd, int ofd, struct pop3d_srv_config *cfg)
 {
   int status = OK;
   char buffer[512];
@@ -365,24 +316,18 @@ pop3d_mainloop (int ifd, int ofd, enum tls_mode tls)
      
   mu_set_signals (pop3d_child_signal, sigtab, MU_ARRAY_SIZE (sigtab));
 
-  if (tls == tls_unspecified)
-    tls = tls_available ? tls_ondemand : tls_no;
-  else if (tls != tls_no && !tls_available)
-    {
-      mu_error (_("TLS is not configured, but requested in the "
-		  "configuration"));
-      tls = tls_no;
-    }
-  
-  pop3d_setio (ifd, ofd, tls == tls_connection);
+  pop3d_setio (ifd, ofd,
+	       cfg->tls_mode == tls_connection ? &cfg->tls_conf : NULL);
 
-  if (tls == tls_required)
+  if (cfg->tls_mode == tls_required)
     initial_state = INITIAL;
   
-  state = tls == tls_connection ? AUTHORIZATION : initial_state;
+  state = cfg->tls_mode == tls_connection ? AUTHORIZATION : initial_state;
 
   pop3d_session_init (&session);
-  session.tls = tls;
+  session.tls_mode = cfg->tls_mode;
+  session.tls_conf = &cfg->tls_conf;
+  
   /* FIXME: state should also be in the session? */
   
   /* Prepare the shared secret for APOP.  */
@@ -528,8 +473,7 @@ pop3d_connection (int fd, struct sockaddr *sa, int salen,
   else
     rc = 1;
 
-  pop3d_mainloop (fd, fd,
-		  cfg->tls_mode == tls_unspecified ? tls_mode : cfg->tls_mode);
+  pop3d_mainloop (fd, fd, cfg);
 
   if (rc == 0)
     clr_strerr_flt ();
@@ -569,6 +513,7 @@ main (int argc, char **argv)
   mu_tcpwrapper_cfg_init ();
   manlock_cfg_init ();
   mu_acl_cfg_init ();
+  mu_tls_cfg_init ();
   
   mu_m_server_create (&server, program_version);
   mu_m_server_set_config_size (server, sizeof (struct pop3d_srv_config));
@@ -645,11 +590,7 @@ main (int argc, char **argv)
   umask (S_IROTH | S_IWOTH | S_IXOTH);	/* 007 */
 
   /* Check TLS environment, i.e. cert and key files */
-#ifdef WITH_TLS
-  tls_available = mu_check_tls_environment ();
-  if (tls_available)
-    enable_stls ();
-#endif /* WITH_TLS */
+  mu_m_server_set_preflight (server, stls_preflight);
 
   /* Actually run the daemon.  */
   if (mu_m_server_mode (server) == MODE_DAEMON)
@@ -661,9 +602,12 @@ main (int argc, char **argv)
     }
   else
     {
+      struct pop3d_srv_config cfg;
+      memset (&cfg, 0, sizeof cfg);
+      cfg.tls_mode = tls_no;
       /* Make sure we are in the root directory.  */
       chdir ("/");
-      status = pop3d_mainloop (MU_STDIN_FD, MU_STDOUT_FD, tls_mode);
+      status = pop3d_mainloop (MU_STDIN_FD, MU_STDOUT_FD, &cfg);
     }
   
   if (status)
diff --git a/pop3d/pop3d.h b/pop3d/pop3d.h
index 962dc1eb9..0168da6e1 100644
--- a/pop3d/pop3d.h
+++ b/pop3d/pop3d.h
@@ -145,31 +145,32 @@ extern int expire_on_exit;
 #define UPDATE		2
 #define ABORT           3
 
-#define OK		0
-#define ERR_WRONG_STATE	1
-#define ERR_BAD_ARGS	2
-#define ERR_BAD_LOGIN	3
-#define ERR_NO_MESG	4
-#define ERR_MESG_DELE   5
-#define ERR_NOT_IMPL	6
-#define ERR_BAD_CMD	7
-#define ERR_MBOX_LOCK	8
-#define ERR_TOO_LONG	9
-#define ERR_NO_MEM	10
-#define ERR_SIGNAL	11
-#define ERR_FILE        12
-#define ERR_NO_IFILE    13
-#define ERR_NO_OFILE    14
-#define ERR_IO          15
-#define ERR_PROTO       16
-#define ERR_TIMEOUT	17
-#define ERR_UNKNOWN	18
-#define ERR_MBOX_SYNC   19
-#define ERR_TLS_ACTIVE  20
-#define ERR_TLS_IO      21
-#define ERR_LOGIN_DELAY 22
-#define ERR_TERMINATE   23
-#define ERR_SYS_LOGIN   24
+enum pop3d_error {
+  OK = 0,
+  ERR_WRONG_STATE,	
+  ERR_BAD_ARGS,	
+  ERR_BAD_LOGIN,	
+  ERR_NO_MESG,	
+  ERR_MESG_DELE,   
+  ERR_NOT_IMPL,	
+  ERR_BAD_CMD,	
+  ERR_MBOX_LOCK,
+  ERR_TOO_LONG,	
+  ERR_NO_MEM,
+  ERR_SIGNAL,
+  ERR_FILE,
+  ERR_NO_IFILE,
+  ERR_NO_OFILE,
+  ERR_IO,
+  ERR_PROTO,
+  ERR_TIMEOUT,
+  ERR_UNKNOWN,
+  ERR_MBOX_SYNC,
+  ERR_TLS_IO,
+  ERR_LOGIN_DELAY,
+  ERR_TERMINATE,
+  ERR_SYS_LOGIN
+};
 
 enum tls_mode
   {
@@ -200,7 +201,15 @@ struct pop3d_capa
 struct pop3d_session
 {
   mu_list_t capa;
-  enum tls_mode tls;
+  enum tls_mode tls_mode;
+  struct mu_tls_config *tls_conf;
+};
+
+struct pop3d_srv_config
+{
+  struct mu_srv_config m_cfg;
+  enum tls_mode tls_mode;
+  struct mu_tls_config tls_conf;
 };
 
 void pop3d_session_init (struct pop3d_session *session);
@@ -227,10 +236,7 @@ extern char *md5shared;
 extern size_t children;
 extern struct daemon_param daemon_param;
 extern int debug_mode;
-#ifdef WITH_TLS
-extern int tls_available;
-extern int tls_done;
-#endif /* WITH_TLS */
+
 extern int undelete_on_startup;
 extern struct mu_auth_data *auth_data;
 extern unsigned int idle_timeout;
@@ -242,6 +248,8 @@ extern int apop_database_safety;
 extern uid_t apop_database_owner;
 extern int apop_database_owner_set;
 
+extern struct mu_tls_config global_tls_conf;
+
 /* Safety checks for group-rw database files, such as stat and bulletin
    databases */
    
@@ -282,13 +290,12 @@ extern void pop3d_parse_command (char *cmd, char **pcmd, char **parg);
 extern RETSIGTYPE pop3d_master_signal  (int);
 extern RETSIGTYPE pop3d_child_signal  (int);
 
-#ifdef WITH_TLS
 extern int pop3d_stls           (char *, struct pop3d_session *);
-extern void enable_stls (void);
-#endif /* WITH_TLS */
+int stls_preflight (mu_m_server_t msrv);
+
 extern void pop3d_outf          (const char *fmt, ...) MU_PRINTFLIKE(1,2);
 
-extern void pop3d_setio         (int, int, int);
+extern void pop3d_setio         (int, int, struct mu_tls_config *);
 extern char *pop3d_readline     (char *, size_t);
 extern void pop3d_flush_output  (void);
 
@@ -299,10 +306,7 @@ extern int pop3d_is_deleted (mu_attribute_t attr);
 extern void pop3d_unset_deleted (mu_attribute_t attr);
 void pop3d_undelete_all (void);
 
-#ifdef WITH_TLS
-extern int pop3d_init_tls_server    (void);
-extern void pop3d_deinit_tls_server (void);
-#endif /* WITH_TLS */
+extern int pop3d_init_tls_server    (struct mu_tls_config *tls_conf);
 
 extern void pop3d_mark_retr (mu_attribute_t attr);
 extern int pop3d_is_retr (mu_attribute_t attr);
diff --git a/pop3d/stls.c b/pop3d/stls.c
index 9729b6b57..b83dcb6bb 100644
--- a/pop3d/stls.c
+++ b/pop3d/stls.c
@@ -19,8 +19,6 @@
 
 /* STLS command -- TLS/SSL encryption */
 
-#ifdef WITH_TLS
-
 int
 pop3d_stls (char *arg, struct pop3d_session *session)
 {
@@ -30,7 +28,7 @@ pop3d_stls (char *arg, struct pop3d_session *session)
   if (state != initial_state)
     return ERR_WRONG_STATE;
 
-  switch (session->tls)
+  switch (session->tls_mode)
     {
     case tls_ondemand:
     case tls_required:
@@ -39,26 +37,20 @@ pop3d_stls (char *arg, struct pop3d_session *session)
       return ERR_WRONG_STATE;
     }
   
-  if (tls_done)
-    return ERR_TLS_ACTIVE;
-
   pop3d_outf ("+OK Begin TLS negotiation\n");
   pop3d_flush_output ();
 
-  tls_done = pop3d_init_tls_server () == 0;
-
-  if (!tls_done)
+  if (pop3d_init_tls_server (session->tls_conf))
     {
       mu_diag_output (MU_DIAG_ERROR, _("Session terminated"));
       state = ABORT;
       return ERR_UNKNOWN;
     }
 
+  session->tls_mode = tls_no;
   state = AUTHORIZATION;  /* Confirm we're in this state. Necessary for
 			     "tls required" to work */
 
   return OK;
 }
 
-#endif /* WITH_TLS */
-