diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:46:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:46:30 +0000 |
commit | b5896ba9f6047e7031e2bdee0622d543e11a6734 (patch) | |
tree | fd7b460593a2fee1be579bec5697e6d887ea3421 /html/tlsmgr.8.html | |
parent | Initial commit. (diff) | |
download | postfix-upstream.tar.xz postfix-upstream.zip |
Adding upstream version 3.4.23.upstream/3.4.23upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'html/tlsmgr.8.html')
-rw-r--r-- | html/tlsmgr.8.html | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/html/tlsmgr.8.html b/html/tlsmgr.8.html new file mode 100644 index 0000000..7f3ac18 --- /dev/null +++ b/html/tlsmgr.8.html @@ -0,0 +1,194 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> <head> +<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> +<title> Postfix manual - tlsmgr(8) </title> +</head> <body> <pre> +TLSMGR(8) TLSMGR(8) + +<b>NAME</b> + tlsmgr - Postfix TLS session cache and PRNG manager + +<b>SYNOPSIS</b> + <b>tlsmgr</b> [generic Postfix daemon options] + +<b>DESCRIPTION</b> + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and + retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes, + and periodically removes entries that have expired. + + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator) + pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed + their internal PRNG pools. + + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source + (EGD, /dev/urandom, or regular file). It is updated at configurable + pseudo-random intervals with data from the external source. It is + updated periodically with data from TLS session cache entries and with + the time of day, and is updated with the time of day whenever a process + requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service. + + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and + when the process terminates, and reads the exchange file when initial- + izing its PRNG. + +<b>SECURITY</b> + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the + external and internal PRNG pools does not "trust" the data that it + manipulates, and the code that maintains the TLS session cache does not + touch the contents of the cached entries, except for seeding its inter- + nal PRNG pool. + + The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privileges. At + process startup it connects to the entropy source and exchange file, + and creates or truncates the optional TLS session cache files. + + With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no longer uses root + privileges when opening cache files. These files should now be stored + under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt + to open a cache file under a non-Postfix directory is redirected to the + Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged. + +<b>DIAGNOSTICS</b> + Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. + +<b>BUGS</b> + There is no automatic means to limit the number of entries in the TLS + session caches and/or the size of the TLS cache files. + +<b>CONFIGURATION PARAMETERS</b> + Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> + is a persistent processes. Use the command "<b>postfix reload</b>" after a + configuration change. + + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + more details including examples. + +<b>TLS SESSION CACHE</b> + <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b> + The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration + parameter. + + <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b> + The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> + configuration parameter. + + <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b> + The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> + configuration parameter. + + <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> + Enable additional Postfix SMTP client logging of TLS activity. + + <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> + Name of the file containing the optional Postfix SMTP client TLS + session cache. + + <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> + The expiration time of Postfix SMTP client TLS session cache + information. + + <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> + Enable additional Postfix SMTP server logging of TLS activity. + + <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> + Name of the file containing the optional Postfix SMTP server TLS + session cache. + + <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> + The expiration time of Postfix SMTP server TLS session cache + information. + +<b>PSEUDO RANDOM NUMBER GENERATOR</b> + <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b> + The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo + random number generator (PRNG) pool. + + <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b> + The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a> + when (re)seeding the in-memory pseudo random number generator + (PRNG) pool. + + <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b> + Name of the pseudo random number generator (PRNG) state file + that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>. + + <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b> + The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the + pseudo random number generator (PRNG) to the file specified with + $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>. + + <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b> + The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the + in-memory pseudo random number generator (PRNG) pool from exter- + nal sources. + +<b>MISCELLANEOUS CONTROLS</b> + <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + figuration files. + + <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b> + The directory with Postfix-writable data files (for example: + caches, pseudo-random numbers). + + <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> + How much time a Postfix daemon process may take to handle a + request before it is terminated by a built-in watchdog timer. + + <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> + The process ID of a Postfix command or daemon process. + + <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> + The process name of a Postfix command or daemon process. + + <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> + The syslog facility of Postfix logging. + + <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> + A prefix that is prepended to the process name in syslog + records, so that, for example, "smtpd" becomes "prefix/smtpd". + + Available in Postfix 3.3 and later: + + <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> + The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. + +<b>SEE ALSO</b> + <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client + <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server + <a href="postconf.5.html">postconf(5)</a>, configuration parameters + <a href="master.5.html">master(5)</a>, generic daemon options + <a href="master.8.html">master(8)</a>, process manager + <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging + syslogd(8), system logging + +<b>README FILES</b> + <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation + +<b>LICENSE</b> + The Secure Mailer license must be distributed with this software. + +<b>HISTORY</b> + This service was introduced with Postfix version 2.2. + +<b>AUTHOR(S)</b> + Lutz Jaenicke + BTU Cottbus + Allgemeine Elektrotechnik + Universitaetsplatz 3-4 + D-03044 Cottbus, Germany + + Adapted by: + Wietse Venema + IBM T.J. Watson Research + P.O. Box 704 + Yorktown Heights, NY 10598, USA + + Wietse Venema + Google, Inc. + 111 8th Avenue + New York, NY 10011, USA + + TLSMGR(8) +</pre> </body> </html> |