--- a/configure.in	Sat Jun 17 19:24:55 2006 +0300
+++ b/configure.in	Sat Jun 17 19:26:54 2006 +0300
@@ -234,6 +234,13 @@
 )
 AC_SUBST(rundir)
 
+AC_ARG_WITH(statedir,
+[  --with-statedir=DIR     Permanent data directory (LOCALSTATEDIR/lib/dovecot)],
+	statedir="$withval",
+	statedir=$localstatedir/lib/$PACKAGE_NAME
+)
+AC_SUBST(statedir)
+
 AC_ARG_WITH(gc,
 [  --with-gc               Use Boehm garbage collector (currently broken)],
 	if test x$withval = xyes; then

--- a/src/master/Makefile.am	Sat Jun 17 19:24:55 2006 +0300
+++ b/src/master/Makefile.am	Sat Jun 17 19:26:54 2006 +0300
@@ -8,6 +8,7 @@
 	-I$(top_srcdir)/src/lib-settings \
 	-DSYSCONFDIR=\""$(sysconfdir)"\" \
 	-DPKG_RUNDIR=\""$(rundir)"\" \
+	-DPKG_STATEDIR=\""$(statedir)"\" \
 	-DPKG_LIBEXECDIR=\""$(pkglibexecdir)"\" \
 	-DMODULEDIR=\""$(moduledir)"\" \
 	-DSSLDIR=\""$(ssldir)\""

--- a/src/master/master-settings.c	Sat Jun 17 19:24:55 2006 +0300
+++ b/src/master/master-settings.c	Sat Jun 17 19:26:54 2006 +0300
@@ -799,6 +799,12 @@
 			i_error("chmod(%s) failed: %m", set->base_dir);
 	}
 
+	/* Make sure our permanent state directory exists */
+	if (mkdir_parents(PKG_STATEDIR, 0777) < 0 && errno != EEXIST) {
+		i_error("mkdir(%s) failed: %m", PKG_STATEDIR);
+		return FALSE;
+	}
+
 	if (!settings_have_connect_sockets(set)) {
 		/* we are not using external authentication, so make sure the
 		   login directory exists with correct permissions and it's

--- a/src/master/ssl-init.c	Sat Jun 17 19:24:55 2006 +0300
+++ b/src/master/ssl-init.c	Sat Jun 17 19:26:54 2006 +0300
@@ -1,8 +1,9 @@
-/* Copyright (C) 2002 Timo Sirainen */
+/* Copyright (C) 2002-2006 Timo Sirainen */
 
 #include "common.h"
 #include "ioloop.h"
 #include "env-util.h"
+#include "file-copy.h"
 #include "log.h"
 #include "ssl-init.h"
 
@@ -15,7 +16,9 @@
 #include <sys/stat.h>
 
 static struct timeout *to;
-static bool generating;
+static char *generating_path = NULL;
+
+#define SSL_PARAMETERS_PERM_PATH PKG_STATEDIR"/"SSL_PARAMETERS_FILENAME
 
 static void start_generate_process(const char *fname)
 {
@@ -40,7 +43,8 @@
 	log_set_prefix(log, "ssl-build-param: ");
 	if (pid != 0) {
 		/* parent */
-		generating = TRUE;
+		i_assert(generating_path == NULL);
+		generating_path = i_strdup(fname);
 		PID_ADD_PROCESS_TYPE(pid, PROCESS_TYPE_SSL_PARAM);
 		return;
 	}
@@ -50,13 +54,18 @@
 		i_fatal("dup2(stderr) failed: %m");
 
 	child_process_init_env();
-	client_process_exec(t_strconcat(binpath, " ", fname, NULL), "");
+	client_process_exec(t_strconcat(binpath, " "SSL_PARAMETERS_PERM_PATH,
+					NULL), "");
 	i_fatal_status(FATAL_EXEC, "execv(%s) failed: %m", binpath);
 }
 
 void ssl_parameter_process_destroyed(pid_t pid __attr_unused__)
 {
-	generating = FALSE;
+	if (file_copy(SSL_PARAMETERS_PERM_PATH, generating_path, TRUE) <= 0) {
+		i_error("file_copy(%s, %s) failed: %m",
+			SSL_PARAMETERS_PERM_PATH, generating_path);
+	}
+	i_free_and_null(generating_path);
 }
 
 static bool check_parameters_file_set(struct settings *set)
@@ -76,7 +85,15 @@
 			return TRUE;
 		}
 
-		st.st_mtime = 0;
+		/* try to copy the permanent parameters file here if possible */
+		if (file_copy(SSL_PARAMETERS_PERM_PATH, path, TRUE) > 0) {
+			if (stat(path, &st) < 0) {
+				i_error("stat(%s) failed: %m", path);
+				st.st_mtime = 0;
+			}
+		} else {
+			st.st_mtime = 0;
+		}
 	} else if (st.st_size == 0) {
 		/* broken, delete it (mostly for backwards compatibility) */
 		st.st_mtime = 0;
@@ -105,7 +122,7 @@
 {
 	struct server_settings *server;
 
-	if (generating)
+	if (generating_path != NULL)
 		return;
 
 	for (server = settings_root; server != NULL; server = server->next) {
@@ -122,7 +139,7 @@
 
 void ssl_init(void)
 {
-	generating = FALSE;
+	generating_path = NULL;
 
 	/* check every 10 mins */
 	to = timeout_add(600 * 1000, check_parameters_file_timeout, NULL);