horok/postfix
1
0
Fork 0
Code Activity
postfix/html/tlsmgr.8.html
Daniel Baumann 75cf244379
Adding upstream version 3.10.2. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 14:19:32 +02:00

195 lines
11 KiB
HTML
Raw Permalink Blame History

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"https://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
<title> Postfix manual - tlsmgr(8) </title>
</head> <body> <pre>
TLSMGR(8) TLSMGR(8)
<b><a name="name">NAME</a></b>
tlsmgr - Postfix TLS session cache and PRNG manager
<b><a name="synopsis">SYNOPSIS</a></b>
<b>tlsmgr</b> [generic Postfix daemon options]
<b><a name="description">DESCRIPTION</a></b>
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and
retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes,
and periodically removes entries that have expired.
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator)
pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed
their internal PRNG pools.
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source
(EGD, /dev/urandom, or regular file). It is updated at configurable
pseudo-random intervals with data from the external source. It is
updated periodically with data from TLS session cache entries and with
the time of day, and is updated with the time of day whenever a process
requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service.
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and
when the process terminates, and reads the exchange file when initial-
izing its PRNG.
<b><a name="security">SECURITY</a></b>
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the
external and internal PRNG pools does not "trust" the data that it
manipulates, and the code that maintains the TLS session cache does not
touch the contents of the cached entries, except for seeding its inter-
nal PRNG pool.
The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privileges. At
process startup it connects to the entropy source and exchange file,
and creates or truncates the optional TLS session cache files.
With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no longer uses root
privileges when opening cache files. These files should now be stored
under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt
to open a cache file under a non-Postfix directory is redirected to the
Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged.
<b><a name="diagnostics">DIAGNOSTICS</a></b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a name="bugs">BUGS</a></b>
There is no automatic means to limit the number of entries in the TLS
session caches and/or the size of the TLS cache files.
<b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
is a persistent processes. Use the command "<b>postfix reload</b>" after a
configuration change.
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
more details including examples.
<b><a name="tls_session_cache">TLS SESSION CACHE</a></b>
<b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b>
The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration
parameter.
<b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b>
The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
configuration parameter.
<b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b>
The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a>
configuration parameter.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP client logging of TLS activity.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix SMTP client TLS
session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
The expiration time of Postfix SMTP client TLS session cache
information.
<b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP server logging of TLS activity.
<b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix SMTP server TLS
session cache.
<b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
The expiration time of Postfix SMTP server TLS session cache
information.
<b><a name="pseudo_random_number_generator">PSEUDO RANDOM NUMBER GENERATOR</a></b>
<b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b>
The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo
random number generator (PRNG) pool.
<b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b>
The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a>
when (re)seeding the in-memory pseudo random number generator
(PRNG) pool.
<b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b>
Name of the pseudo random number generator (PRNG) state file
that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>.
<b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b>
The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the
pseudo random number generator (PRNG) to the file specified with
$<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>.
<b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b>
The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the
in-memory pseudo random number generator (PRNG) pool from exter-
nal sources.
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
The directory with Postfix-writable data files (for example:
caches, pseudo-random numbers).
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix 3.3 and later:
<b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b>
The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process.
<b><a name="see_also">SEE ALSO</a></b>
<a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client
<a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
<a href="postconf.5.html">postconf(5)</a>, configuration parameters
<a href="master.5.html">master(5)</a>, generic daemon options
<a href="master.8.html">master(8)</a>, process manager
<a href="postlogd.8.html">postlogd(8)</a>, Postfix logging
syslogd(8), system logging
<b><a name="readme_files">README FILES</a></b>
<a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation
<b><a name="license">LICENSE</a></b>
The Secure Mailer license must be distributed with this software.
<b><a name="history">HISTORY</a></b>
This service was introduced with Postfix version 2.2.
<b>AUTHOR(S)</b>
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
Adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA
TLSMGR(8)
</pre> </body> </html>
View git blame Copy permalink