diff options
Diffstat (limited to 'html/posttls-finger.1.html')
-rw-r--r-- | html/posttls-finger.1.html | 361 |
1 files changed, 361 insertions, 0 deletions
diff --git a/html/posttls-finger.1.html b/html/posttls-finger.1.html new file mode 100644 index 0000000..4a47a48 --- /dev/null +++ b/html/posttls-finger.1.html @@ -0,0 +1,361 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> <head> +<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> +<title> Postfix manual - posttls-finger(1) </title> +</head> <body> <pre> +POSTTLS-FINGER(1) POSTTLS-FINGER(1) + +<b>NAME</b> + posttls-finger - Probe the TLS properties of an ESMTP or LMTP server. + +<b>SYNOPSIS</b> + <b>posttls-finger</b> [<i>options</i>] [<b>inet:</b>]<i>domain</i>[:<i>port</i>] [<i>match ...</i>] + <b>posttls-finger</b> -S [<i>options</i>] <b>unix:</b><i>pathname</i> [<i>match ...</i>] + +<b>DESCRIPTION</b> + <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> connects to the specified destination and reports + TLS-related information about the server. With SMTP, the destination is + a domainname; with LMTP it is either a domainname prefixed with <b>inet:</b> + or a pathname prefixed with <b>unix:</b>. If Postfix is built without TLS + support, the resulting posttls-finger program has very limited func- + tionality, and only the <b>-a</b>, <b>-c</b>, <b>-h</b>, <b>-o</b>, <b>-S</b>, <b>-t</b>, <b>-T</b> and <b>-v</b> options are + available. + + Note: this is an unsupported test program. No attempt is made to main- + tain compatibility between successive versions. + + For SMTP servers that don't support ESMTP, only the greeting banner and + the negative EHLO response are reported. Otherwise, the reported EHLO + response details further server capabilities. + + If TLS support is enabled when <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> is compiled, and the + server supports <b>STARTTLS</b>, a TLS handshake is attempted. + + If DNSSEC support is available, the connection TLS security level (<b>-l</b> + option) defaults to <b>dane</b>; see <a href="TLS_README.html">TLS_README</a> for details. Otherwise, it + defaults to <b>secure</b>. This setting determines the certificate matching + policy. + + If TLS negotiation succeeds, the TLS protocol and cipher details are + reported. The server certificate is then verified in accordance with + the policy at the chosen (or default) security level. With public + CA-based trust, when the <b>-L</b> option includes <b>certmatch</b>, (true by + default) name matching is performed even if the certificate chain is + not trusted. This logs the names found in the remote SMTP server cer- + tificate and which if any would match, were the certificate chain + trusted. + + Note: <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> does not perform any table lookups, so the TLS + policy table and obsolete per-site tables are not consulted. It does + not communicate with the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> daemon (or any other Postfix dae- + mons); its TLS session cache is held in private memory, and disappears + when the process exits. + + With the <b>-r</b> <i>delay</i> option, if the server assigns a TLS session id, the + TLS session is cached. The connection is then closed and re-opened + after the specified delay, and <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> then reports whether + the cached TLS session was re-used. + + When the destination is a load balancer, it may be distributing load + between multiple server caches. Typically, each server returns its + unique name in its EHLO response. If, upon reconnecting with <b>-r</b>, a new + server name is detected, another session is cached for the new server, + and the reconnect is repeated up to a maximum number of times (default + 5) that can be specified via the <b>-m</b> option. + + The choice of SMTP or LMTP (<b>-S</b> option) determines the syntax of the + destination argument. With SMTP, one can specify a service on a + non-default port as <i>host</i>:<i>service</i>, and disable MX (mail exchanger) DNS + lookups with [<i>host</i>] or [<i>host</i>]:<i>port</i>. The [] form is required when you + specify an IP address instead of a hostname. An IPv6 address takes the + form [<b>ipv6:</b><i>address</i>]. The default port for SMTP is taken from the + <b>smtp/tcp</b> entry in /etc/services, defaulting to 25 if the entry is not + found. + + With LMTP, specify <b>unix:</b><i>pathname</i> to connect to a local server listening + on a unix-domain socket bound to the specified pathname; otherwise, + specify an optional <b>inet:</b> prefix followed by a <i>domain</i> and an optional + port, with the same syntax as for SMTP. The default TCP port for LMTP + is 24. + + Arguments: + + <b>-a</b> <i>family</i> (default: <b>any</b>) + Address family preference: <b>ipv4</b>, <b>ipv6</b> or <b>any</b>. When using <b>any</b>, + posttls-finger will randomly select one of the two as the more + preferred, and exhaust all MX preferences for the first address + family before trying any addresses for the other. + + <b>-A</b> <i>trust-anchor.pem</i> (default: none) + A list of PEM trust-anchor files that overrides CAfile and CAp- + ath trust chain verification. Specify the option multiple times + to specify multiple files. See the <a href="postconf.5.html">main.cf</a> documentation for + <a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> for details. + + <b>-c</b> Disable SMTP chat logging; only TLS-related information is + logged. + + <b>-C</b> Print the remote SMTP server certificate trust chain in PEM for- + mat. The issuer DN, subject DN, certificate and public key fin- + gerprints (see <b>-d</b> <i>mdalg</i> option below) are printed above each PEM + certificate block. If you specify <b>-F</b> <i>CAfile</i> or <b>-P</b> <i>CApath</i>, the + OpenSSL library may augment the chain with missing issuer cer- + tificates. To see the actual chain sent by the remote SMTP + server leave <i>CAfile</i> and <i>CApath</i> unset. + + <b>-d</b> <i>mdalg</i> (default: <b>sha1</b>) + The message digest algorithm to use for reporting remote SMTP + server fingerprints and matching against user provided certifi- + cate fingerprints (with DANE TLSA records the algorithm is spec- + ified in the DNS). + + <b>-f</b> Lookup the associated DANE TLSA RRset even when a hostname is + not an alias and its address records lie in an unsigned zone. + See <a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> for details. + + <b>-F</b> <i>CAfile.pem</i> (default: none) + The PEM formatted CAfile for remote SMTP server certificate ver- + ification. By default no CAfile is used and no public CAs are + trusted. + + <b>-g</b> <i>grade</i> (default: medium) + The minimum TLS cipher grade used by posttls-finger. See + <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> for details. + + <b>-h</b> <i>host</i><b>_</b><i>lookup</i> (default: <b>dns</b>) + The hostname lookup methods used for the connection. See the + documentation of <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> for syntax and semantics. + + <b>-H</b> <i>chainfiles</i> (default: <i>none</i>) + List of files with a sequence PEM-encoded TLS client certificate + chains. The list can be built-up incrementally, by specifying + the option multiple times, or all at once via a comma or white- + space separated list of filenames. Each chain starts with a + private key, which is followed immediately by the corresponding + certificate, and optionally by additional issuer certificates. + Each new key begins a new chain for the corresponding algorithm. + This option is mutually exclusive with the below <b>-k</b> and <b>-K</b> + options. + + <b>-k</b> <i>certfile</i> (default: <i>keyfile</i>) + File with PEM-encoded TLS client certificate chain. This + defaults to <i>keyfile</i> if one is specified. + + <b>-K</b> <i>keyfile</i> (default: <i>certfile</i>) + File with PEM-encoded TLS client private key. This defaults to + <i>certfile</i> if one is specified. + + <b>-l</b> <i>level</i> (default: <b>dane</b> or <b>secure</b>) + The security level for the connection, default <b>dane</b> or <b>secure</b> + depending on whether DNSSEC is available. For syntax and seman- + tics, see the documentation of <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>. When + <b>dane</b> or <b>dane-only</b> is supported and selected, if no TLSA records + are found, or all the records found are unusable, the <i>secure</i> + level will be used instead. The <b>fingerprint</b> security level + allows you to test certificate or public-key fingerprint matches + before you deploy them in the policy table. + + Note, since <b>posttls-finger</b> does not actually deliver any email, + the <b>none</b>, <b>may</b> and <b>encrypt</b> security levels are not very useful. + Since <b>may</b> and <b>encrypt</b> don't require peer certificates, they will + often negotiate anonymous TLS ciphersuites, so you won't learn + much about the remote SMTP server's certificates at these levels + if it also supports anonymous TLS (though you may learn that the + server supports anonymous TLS). + + <b>-L</b> <i>logopts</i> (default: <b>routine,certmatch</b>) + Fine-grained TLS logging options. To tune the TLS features + logged during the TLS handshake, specify one or more of: + + <b>0, none</b> + These yield no TLS logging; you'll generally want more, + but this is handy if you just want the trust chain: + $ posttls-finger -cC -L none destination + + <b>1, routine, summary</b> + These synonymous values yield a normal one-line summary + of the TLS connection. + + <b>2, debug</b> + These synonymous values combine routine, ssl-debug, cache + and verbose. + + <b>3, ssl-expert</b> + These synonymous values combine debug with ssl-hand- + shake-packet-dump. For experts only. + + <b>4, ssl-developer</b> + These synonymous values combine ssl-expert with ssl-ses- + sion-packet-dump. For experts only, and in most cases, + use wireshark instead. + + <b>ssl-debug</b> + Turn on OpenSSL logging of the progress of the SSL hand- + shake. + + <b>ssl-handshake-packet-dump</b> + Log hexadecimal packet dumps of the SSL handshake; for + experts only. + + <b>ssl-session-packet-dump</b> + Log hexadecimal packet dumps of the entire SSL session; + only useful to those who can debug SSL protocol problems + from hex dumps. + + <b>untrusted</b> + Logs trust chain verification problems. This is turned + on automatically at security levels that use peer names + signed by Certification Authorities to validate certifi- + cates. So while this setting is recognized, you should + never need to set it explicitly. + + <b>peercert</b> + This logs a one line summary of the remote SMTP server + certificate subject, issuer, and fingerprints. + + <b>certmatch</b> + This logs remote SMTP server certificate matching, show- + ing the CN and each subjectAltName and which name + matched. With DANE, logs matching of TLSA record + trust-anchor and end-entity certificates. + + <b>cache</b> This logs session cache operations, showing whether ses- + sion caching is effective with the remote SMTP server. + Automatically used when reconnecting with the <b>-r</b> option; + rarely needs to be set explicitly. + + <b>verbose</b> + Enables verbose logging in the Postfix TLS driver; + includes all of peercert..cache and more. + + The default is <b>routine,certmatch</b>. After a reconnect, <b>peercert</b>, + <b>certmatch</b> and <b>verbose</b> are automatically disabled while <b>cache</b> and + <b>summary</b> are enabled. + + <b>-m</b> <i>count</i> (default: <b>5</b>) + When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b> option determines + the maximum number of reconnect attempts to use with a server + behind a load balancer, to see whether connection caching is + likely to be effective for this destination. Some MTAs don't + expose the underlying server identity in their EHLO response; + with these servers there will never be more than 1 reconnection + attempt. + + <b>-M</b> <i>insecure</i><b>_</b><i>mx</i><b>_</b><i>policy</i> (default: <b>dane</b>) + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is <b>dane</b>, but the MX record + was found via an "insecure" MX lookup. See the <a href="postconf.5.html">main.cf</a> documen- + tation for smtp_tls_insecure_mx_policy for details. + + <b>-o</b> <i>name=value</i> + Specify zero or more times to override the value of the <a href="postconf.5.html">main.cf</a> + parameter <i>name</i> with <i>value</i>. Possible use-cases include overrid- + ing the values of TLS library parameters, or "<a href="postconf.5.html#myhostname">myhostname</a>" to + configure the SMTP EHLO name sent to the remote server. + + <b>-p</b> <i>protocols</i> (default: !SSLv2) + List of TLS protocols that posttls-finger will exclude or + include. See <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details. + + <b>-P</b> <i>CApath/</i> (default: none) + The OpenSSL CApath/ directory (indexed via c_rehash(1)) for + remote SMTP server certificate verification. By default no CAp- + ath is used and no public CAs are trusted. + + <b>-r</b> <i>delay</i> + With a cacheable TLS session, disconnect and reconnect after + <i>delay</i> seconds. Report whether the session is re-used. Retry if a + new server is encountered, up to 5 times or as specified with + the <b>-m</b> option. By default reconnection is disabled, specify a + positive delay to enable this behavior. + + <b>-s</b> <i>servername</i> + The server name to send with the TLS Server Name Indication + (SNI) extension. When the server has DANE TLSA records, this + parameter is ignored and the TLSA base domain is used instead. + Otherwise, SNI is not used by default, but can be enabled by + specifying the desired value with this option. + + <b>-S</b> Disable SMTP; that is, connect to an LMTP server. The default + port for LMTP over TCP is 24. Alternative ports can specified + by appending "<i>:servicename</i>" or ":<i>portnumber</i>" to the destination + argument. + + <b>-t</b> <i>timeout</i> (default: <b>30</b>) + The TCP connection timeout to use. This is also the timeout for + reading the remote server's 220 banner. + + <b>-T</b> <i>timeout</i> (default: <b>30</b>) + The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT. + + <b>-v</b> Enable verbose Postfix logging. Specify more than once to + increase the level of verbose logging. + + <b>-w</b> Enable outgoing TLS wrapper mode, or SMTPS support. This is + typically provided on port 465 by servers that are compatible + with the ad-hoc SMTP in SSL protocol, rather than the standard + STARTTLS protocol. The destination <i>domain</i>:<i>port</i> should of course + provide such a service. + + <b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro- + gram development only. + + [<b>inet:</b>]<i>domain</i>[:<i>port</i>] + Connect via TCP to domain <i>domain</i>, port <i>port</i>. The default port is + <b>smtp</b> (or 24 with LMTP). With SMTP an MX lookup is performed to + resolve the domain to a host, unless the domain is enclosed in + <b>[]</b>. If you want to connect to a specific MX host, for instance + <i>mx1.example.com</i>, specify [<i>mx1.example.com</i>] as the destination + and <i>example.com</i> as a <b>match</b> argument. When using DNS, the desti- + nation domain is assumed fully qualified and no default domain + or search suffixes are applied; you must use fully-qualified + names or also enable <b>native</b> host lookups (these don't support + <b>dane</b> or <b>dane-only</b> as no DNSSEC validation information is avail- + able via <b>native</b> lookups). + + <b>unix:</b><i>pathname</i> + Connect to the UNIX-domain socket at <i>pathname</i>. LMTP only. + + <b>match ...</b> + With no match arguments specified, certificate peername matching + uses the compiled-in default strategies for each security level. + If you specify one or more arguments, these will be used as the + list of certificate or public-key digests to match for the <b>fin-</b> + <b>gerprint</b> level, or as the list of DNS names to match in the cer- + tificate at the <b>verify</b> and <b>secure</b> levels. If the security level + is <b>dane</b>, or <b>dane-only</b> the match names are ignored, and <b>hostname,</b> + <b>nexthop</b> strategies are used. + +<b>ENVIRONMENT</b> + <b>MAIL_CONFIG</b> + Read configuration parameters from a non-default location. + + <b>MAIL_VERBOSE</b> + Same as <b>-v</b> option. + +<b>SEE ALSO</b> + <a href="smtp-source.1.html">smtp-source(1)</a>, SMTP/LMTP message source + <a href="smtp-sink.1.html">smtp-sink(1)</a>, SMTP/LMTP message dump + +<b>README FILES</b> + <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto + +<b>LICENSE</b> + The Secure Mailer license must be distributed with this software. + +<b>AUTHOR(S)</b> + Wietse Venema + IBM T.J. Watson Research + P.O. Box 704 + Yorktown Heights, NY 10598, USA + + Wietse Venema + Google, Inc. + 111 8th Avenue + New York, NY 10011, USA + + Viktor Dukhovni + + POSTTLS-FINGER(1) +</pre> </body> </html> |