From 95f5f6d1c3aec1cb62525f5162e71a4157aca717 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:42:27 +0200 Subject: Merging upstream version 3.9.0. Signed-off-by: Daniel Baumann --- html/tlsproxy.8.html | 111 +++++++++++++++++++++++++++------------------------ 1 file changed, 59 insertions(+), 52 deletions(-) (limited to 'html/tlsproxy.8.html') diff --git a/html/tlsproxy.8.html b/html/tlsproxy.8.html index 0c36743..615a222 100644 --- a/html/tlsproxy.8.html +++ b/html/tlsproxy.8.html @@ -170,26 +170,26 @@ TLSPROXY(8) TLSPROXY(8) tialization functions. STARTTLS SERVER CONTROLS - These settings are clones of Postfix SMTP server settings. They allow + These settings are clones of Postfix SMTP server settings. They allow tlsproxy(8) to load the same certificate and private key information as - the Postfix SMTP server, before dropping privileges, so that the key - files can be kept read-only for root. These settings can currently not - be overruled by information in a tlsproxy(8) client request, but that + the Postfix SMTP server, before dropping privileges, so that the key + files can be kept read-only for root. These settings can currently not + be overruled by information in a tlsproxy(8) client request, but that limitation may be removed in a future version. tlsproxy_tls_CAfile ($smtpd_tls_CAfile) - A file containing (PEM format) CA certificates of root CAs + A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. tlsproxy_tls_CApath ($smtpd_tls_CApath) - A directory containing (PEM format) CA certificates of root CAs + A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. tlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_ses- sion_ids) - Force the Postfix tlsproxy(8) server to issue a TLS session id, + Force the Postfix tlsproxy(8) server to issue a TLS session id, even when TLS session caching is turned off. tlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert) @@ -199,7 +199,7 @@ TLSPROXY(8) TLSPROXY(8) The verification depth for remote SMTP client certificates. tlsproxy_tls_cert_file ($smtpd_tls_cert_file) - File with the Postfix tlsproxy(8) server RSA certificate in PEM + File with the Postfix tlsproxy(8) server RSA certificate in PEM format. tlsproxy_tls_ciphers ($smtpd_tls_ciphers) @@ -207,47 +207,47 @@ TLSPROXY(8) TLSPROXY(8) will use with opportunistic TLS encryption. tlsproxy_tls_dcert_file ($smtpd_tls_dcert_file) - File with the Postfix tlsproxy(8) server DSA certificate in PEM + File with the Postfix tlsproxy(8) server DSA certificate in PEM format. tlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file) - File with DH parameters that the Postfix tlsproxy(8) server + File with DH parameters that the Postfix tlsproxy(8) server should use with non-export EDH ciphers. tlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file) - File with DH parameters that the Postfix tlsproxy(8) server + File with DH parameters that the Postfix tlsproxy(8) server should use with export-grade EDH ciphers. tlsproxy_tls_dkey_file ($smtpd_tls_dkey_file) - File with the Postfix tlsproxy(8) server DSA private key in PEM + File with the Postfix tlsproxy(8) server DSA private key in PEM format. tlsproxy_tls_eccert_file ($smtpd_tls_eccert_file) - File with the Postfix tlsproxy(8) server ECDSA certificate in + File with the Postfix tlsproxy(8) server ECDSA certificate in PEM format. tlsproxy_tls_eckey_file ($smtpd_tls_eckey_file) - File with the Postfix tlsproxy(8) server ECDSA private key in + File with the Postfix tlsproxy(8) server ECDSA private key in PEM format. tlsproxy_tls_eecdh_grade ($smtpd_tls_eecdh_grade) - The Postfix tlsproxy(8) server security grade for ephemeral + The Postfix tlsproxy(8) server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. tlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers) - List of ciphers or cipher types to exclude from the tlsproxy(8) + List of ciphers or cipher types to exclude from the tlsproxy(8) server cipher list at all TLS security levels. tlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest) - The message digest algorithm to construct remote SMTP + The message digest algorithm to construct remote SMTP client-certificate fingerprints. tlsproxy_tls_key_file ($smtpd_tls_key_file) - File with the Postfix tlsproxy(8) server RSA private key in PEM + File with the Postfix tlsproxy(8) server RSA private key in PEM format. tlsproxy_tls_loglevel ($smtpd_tls_loglevel) - Enable additional Postfix tlsproxy(8) server logging of TLS + Enable additional Postfix tlsproxy(8) server logging of TLS activity. tlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers) @@ -256,7 +256,7 @@ TLSPROXY(8) TLSPROXY(8) tlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_manda- tory_exclude_ciphers) - Additional list of ciphers or cipher types to exclude from the + Additional list of ciphers or cipher types to exclude from the tlsproxy(8) server cipher list at mandatory TLS security levels. tlsproxy_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols) @@ -264,67 +264,74 @@ TLSPROXY(8) TLSPROXY(8) with mandatory TLS encryption. tlsproxy_tls_protocols ($smtpd_tls_protocols) - List of TLS protocols that the Postfix tlsproxy(8) server will + List of TLS protocols that the Postfix tlsproxy(8) server will exclude or include with opportunistic TLS encryption. tlsproxy_tls_req_ccert ($smtpd_tls_req_ccert) - With mandatory TLS encryption, require a trusted remote SMTP + With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. tlsproxy_tls_security_level ($smtpd_tls_security_level) - The SMTP TLS security level for the Postfix tlsproxy(8) server; + The SMTP TLS security level for the Postfix tlsproxy(8) server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. tlsproxy_tls_chain_files ($smtpd_tls_chain_files) - Files with the Postfix tlsproxy(8) server keys and certificate + Files with the Postfix tlsproxy(8) server keys and certificate chains in PEM format. + Available in Postfix version 3.9 and later: + + tlsproxy_tls_enable_rpk ($smtpd_tls_enable_rpk) + Request that remote SMTP clients send an RFC7250 raw public key + instead of an X.509 certificate, when asking or requiring client + authentication. + STARTTLS CLIENT CONTROLS - These settings are clones of Postfix SMTP client settings. They allow + These settings are clones of Postfix SMTP client settings. They allow tlsproxy(8) to load the same certificate and private key information as - the Postfix SMTP client, before dropping privileges, so that the key + the Postfix SMTP client, before dropping privileges, so that the key files can be kept read-only for root. Some settings may be overruled by information in a tlsproxy(8) client request. Available in Postfix version 3.4 and later: tlsproxy_client_CAfile ($smtp_tls_CAfile) - A file containing CA certificates of root CAs trusted to sign - either remote TLS server certificates or intermediate CA cer- + A file containing CA certificates of root CAs trusted to sign + either remote TLS server certificates or intermediate CA cer- tificates. tlsproxy_client_CApath ($smtp_tls_CApath) - Directory with PEM format Certification Authority certificates - that the Postfix tlsproxy(8) client uses to verify a remote TLS + Directory with PEM format Certification Authority certificates + that the Postfix tlsproxy(8) client uses to verify a remote TLS server certificate. tlsproxy_client_chain_files ($smtp_tls_chain_files) - Files with the Postfix tlsproxy(8) client keys and certificate + Files with the Postfix tlsproxy(8) client keys and certificate chains in PEM format. tlsproxy_client_cert_file ($smtp_tls_cert_file) - File with the Postfix tlsproxy(8) client RSA certificate in PEM + File with the Postfix tlsproxy(8) client RSA certificate in PEM format. tlsproxy_client_key_file ($smtp_tls_key_file) - File with the Postfix tlsproxy(8) client RSA private key in PEM + File with the Postfix tlsproxy(8) client RSA private key in PEM format. tlsproxy_client_dcert_file ($smtp_tls_dcert_file) - File with the Postfix tlsproxy(8) client DSA certificate in PEM + File with the Postfix tlsproxy(8) client DSA certificate in PEM format. tlsproxy_client_dkey_file ($smtp_tls_dkey_file) - File with the Postfix tlsproxy(8) client DSA private key in PEM + File with the Postfix tlsproxy(8) client DSA private key in PEM format. tlsproxy_client_eccert_file ($smtp_tls_eccert_file) - File with the Postfix tlsproxy(8) client ECDSA certificate in + File with the Postfix tlsproxy(8) client ECDSA certificate in PEM format. tlsproxy_client_eckey_file ($smtp_tls_eckey_file) - File with the Postfix tlsproxy(8) client ECDSA private key in + File with the Postfix tlsproxy(8) client ECDSA private key in PEM format. tlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest) @@ -332,7 +339,7 @@ TLSPROXY(8) TLSPROXY(8) certificate fingerprints. tlsproxy_client_loglevel ($smtp_tls_loglevel) - Enable additional Postfix tlsproxy(8) client logging of TLS + Enable additional Postfix tlsproxy(8) client logging of TLS activity. tlsproxy_client_loglevel_parameter (smtp_tls_loglevel) @@ -343,43 +350,43 @@ TLSPROXY(8) TLSPROXY(8) The verification depth for remote TLS server certificates. tlsproxy_client_use_tls ($smtp_use_tls) - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. tlsproxy_client_enforce_tls ($smtp_enforce_tls) - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. tlsproxy_client_per_site ($smtp_tls_per_site) - Optional lookup tables with the Postfix tlsproxy(8) client TLS - usage policy by next-hop destination and by remote TLS server + Optional lookup tables with the Postfix tlsproxy(8) client TLS + usage policy by next-hop destination and by remote TLS server hostname. Available in Postfix version 3.4-3.6: tlsproxy_client_level ($smtp_tls_security_level) - The default TLS security level for the Postfix tlsproxy(8) + The default TLS security level for the Postfix tlsproxy(8) client. tlsproxy_client_policy ($smtp_tls_policy_maps) - Optional lookup tables with the Postfix tlsproxy(8) client TLS + Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. Available in Postfix version 3.7 and later: tlsproxy_client_security_level ($smtp_tls_security_level) - The default TLS security level for the Postfix tlsproxy(8) + The default TLS security level for the Postfix tlsproxy(8) client. tlsproxy_client_policy_maps ($smtp_tls_policy_maps) - Optional lookup tables with the Postfix tlsproxy(8) client TLS + Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. OBSOLETE STARTTLS SUPPORT CONTROLS - These parameters are supported for compatibility with smtpd(8) legacy + These parameters are supported for compatibility with smtpd(8) legacy parameters. tlsproxy_use_tls ($smtpd_use_tls) - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. tlsproxy_enforce_tls ($smtpd_enforce_tls) @@ -387,11 +394,11 @@ TLSPROXY(8) TLSPROXY(8) and require that clients use TLS encryption. tlsproxy_client_use_tls ($smtp_use_tls) - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. tlsproxy_client_enforce_tls ($smtp_enforce_tls) - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. RESOURCE CONTROLS tlsproxy_watchdog_timeout (10s) @@ -400,7 +407,7 @@ TLSPROXY(8) TLSPROXY(8) MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. process_id (read-only) @@ -413,7 +420,7 @@ TLSPROXY(8) TLSPROXY(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix 3.3 and later: -- cgit v1.2.3