$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.16 2017/09/12 16:15:24 gsoares Exp $
Index: tools/stunnel.conf-sample.in
--- tools/stunnel.conf-sample.in.orig
+++ tools/stunnel.conf-sample.in
@@ -7,17 +7,18 @@
 ; * Global options                                                         *
 ; **************************************************************************
 
+chroot = /var/stunnel/
 ; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+setuid = _stunnel
+setgid = _stunnel
 
 ; PID file is created inside the chroot jail (if enabled)
-;pid = @localstatedir@/run/stunnel.pid
+pid = /stunnel.pid
 
 ; Debugging stuff (may be useful for troubleshooting)
 ;foreground = yes
 ;debug = info
-;output = @localstatedir@/log/stunnel.log
+;output = stunnel.log
 
 ; Enable FIPS 140-2 mode if needed for compliance
 ;fips = yes
@@ -46,7 +47,7 @@
 ; * Include all configuration file fragments from the specified folder     *
 ; **************************************************************************
 
-;include = @sysconfdir@/stunnel/conf.d
+;include = ${SYSCONFDIR}/stunnel/conf.d
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
@@ -59,32 +60,32 @@
 ; a hardcoded path of the stunnel package, as it is not related to the
 ; stunnel configuration in @sysconfdir@/stunnel/.
 
-[gmail-pop3]
-client = yes
-accept = 127.0.0.1:110
-connect = pop.gmail.com:995
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = pop.gmail.com
-OCSPaia = yes
+;[gmail-pop3]
+;client = yes
+;accept = 127.0.0.1:110
+;connect = pop.gmail.com:995
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = pop.gmail.com
+;OCSPaia = yes
 
-[gmail-imap]
-client = yes
-accept = 127.0.0.1:143
-connect = imap.gmail.com:993
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = imap.gmail.com
-OCSPaia = yes
+;[gmail-imap]
+;client = yes
+;accept = 127.0.0.1:143
+;connect = imap.gmail.com:993
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = imap.gmail.com
+;OCSPaia = yes
 
-[gmail-smtp]
-client = yes
-accept = 127.0.0.1:25
-connect = smtp.gmail.com:465
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = smtp.gmail.com
-OCSPaia = yes
+;[gmail-smtp]
+;client = yes
+;accept = 127.0.0.1:25
+;connect = smtp.gmail.com:465
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = smtp.gmail.com
+;OCSPaia = yes
 
 ; Encrypted HTTP proxy authenticated with a client certificate
 ; located in a cryptographic token
@@ -98,43 +99,43 @@ OCSPaia = yes
 
 ; ***************************************** Example TLS server mode services
 
-;[pop3s]
-;accept  = 995
-;connect = 110
-;cert = @sysconfdir@/stunnel/stunnel.pem
+[pop3s]
+accept  = 995
+connect = 110
+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
-;[imaps]
-;accept  = 993
-;connect = 143
-;cert = @sysconfdir@/stunnel/stunnel.pem
+[imaps]
+accept  = 993
+connect = 143
+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
-;[ssmtp]
-;accept  = 465
-;connect = 25
-;cert = @sysconfdir@/stunnel/stunnel.pem
+[ssmtp]
+accept  = 465
+connect = 25
+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 ; TLS front-end to a web server
 ;[https]
 ;accept  = 443
 ;connect = 80
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
 ; Microsoft implementations do not use TLS close-notify alert and thus they
 ; are vulnerable to truncation attacks
 ;TIMEOUTclose = 0
 
 ; Remote shell protected with PSK-authenticated TLS
-; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
+; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs
 ;[shell]
 ;accept = 1337
 ;exec = /bin/sh
 ;execArgs = sh -i
 ;ciphers = PSK
-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
 
 ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
 ;[mysql]
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 ;accept = 3307
 ;connect = /run/mysqld/mysqld.sock
 
