tlsmgr.8.html   [plain text]

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<title> Postfix manual - tlsmgr(8) </title>
</head> <body> <pre>
TLSMGR(8)                                                            TLSMGR(8)

<b>NAME</b>
       tlsmgr - Postfix TLS session cache and PRNG manager

<b>SYNOPSIS</b>
       <b>tlsmgr</b> [generic Postfix daemon options]

<b>DESCRIPTION</b>
       The  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches.  It
       stores and retrieves cache entries on request by  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
       and  <a href="smtp.8.html"><b>smtp</b>(8)</a>  processes,  and periodically removes entries
       that have expired.

       The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random  number
       generator)  pool.  It  answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and
       <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed their internal PRNG pools.

       The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool  is  initially  seeded  from  an
       external  source (EGD, /dev/urandom, or regular file).  It
       is updated at configurable  pseudo-random  intervals  with
       data  from the external source. It is updated periodically
       with data from TLS session cache entries and with the time
       of  day,  and  is  updated with the time of day whenever a
       process requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service.

       The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state  to  an  exchange  file
       periodically  and  when  the process terminates, and reads
       the exchange file when initializing its PRNG.

<b>SECURITY</b>
       The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not  security-sensitive.  The  code  that
       maintains  the  external  and internal PRNG pools does not
       "trust" the data that it manipulates, and  the  code  that
       maintains  the  TLS  session cache does not touch the con-
       tents of the cached entries, except for seeding its inter-
       nal PRNG pool.

       The  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privi-
       leges.  At process startup  it  connects  to  the  entropy
       source  and  exchange  file,  and creates or truncates the
       optional TLS session cache files.

       With Postfix version  2.5  and  later,  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>  no
       longer  uses  root  privileges  when  opening cache files.
       These files should now be stored under  the  Postfix-owned
       <b><a href="postconf.5.html#data_directory">data_directory</a></b>.   As a migration aid, an attempt to open a
       cache file under a non-Postfix directory is redirected  to
       the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged.

<b>DIAGNOSTICS</b>
       Problems and transactions are logged to the syslog daemon.

<b>BUGS</b>
       There is no automatic means to limit the number of entries
       in the TLS session caches and/or the size of the TLS cache
       files.

<b>CONFIGURATION PARAMETERS</b>
       Changes  to  <a href="postconf.5.html"><b>main.cf</b></a>  are  not  picked  up  automatically,
       because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is a persistent processes.  Use the com-
       mand "<b>postfix reload</b>" after a configuration change.

       The  text  below  provides  only  a parameter summary. See
       <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.

<b>TLS SESSION CACHE</b>
       <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b>
              The LMTP-specific version of the  <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>
              configuration parameter.

       <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b>
              The  LMTP-specific  version  of  the  smtp_tls_ses-
              sion_cache_database configuration parameter.

       <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b>
              The  LMTP-specific  version  of  the  smtp_tls_ses-
              sion_cache_timeout configuration parameter.

       <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
              Enable  additional  Postfix  SMTP client logging of
              TLS activity.

       <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
              Name of the file containing  the  optional  Postfix
              SMTP client TLS session cache.

       <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
              The expiration time of Postfix SMTP client TLS ses-
              sion cache information.

       <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
              Enable additional Postfix SMTP  server  logging  of
              TLS activity.

       <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
              Name  of  the  file containing the optional Postfix
              SMTP server TLS session cache.

       <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
              The expiration time of Postfix SMTP server TLS ses-
              sion cache information.

<b>PSEUDO RANDOM NUMBER GENERATOR</b>
       <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b>
              The  external  entropy  source  for  the  in-memory
              <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo  random  number  generator  (PRNG)
              pool.

       <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b>
              The  number  of  bytes  that  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>  reads from
              $<a href="postconf.5.html#tls_random_source">tls_random_source</a> when (re)seeding  the  in-memory
              pseudo random number generator (PRNG) pool.

       <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b>
              Name  of  the pseudo random number generator (PRNG)
              state file that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>.

       <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b>
              The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save  the
              state  of the pseudo random number generator (PRNG)
              to    the    file    specified    with    $<a href="postconf.5.html#tls_random_exchange_name">tls_ran</a>-
              <a href="postconf.5.html#tls_random_exchange_name">dom_exchange_name</a>.

       <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b>
              The  maximal  time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to
              re-seed the in-memory pseudo random number  genera-
              tor (PRNG) pool from external sources.

<b>MISCELLANEOUS CONTROLS</b>
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
              <a href="master.5.html">master.cf</a> configuration files.

       <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
              The directory with Postfix-writable data files (for
              example: caches, pseudo-random numbers).

       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
              How  much time a Postfix daemon process may take to
              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.

       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
              The  process  ID  of  a  Postfix  command or daemon
              process.

       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
              The process name of a  Postfix  command  or  daemon
              process.

       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.

       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
              The  mail  system  name  that  is  prepended to the
              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

<b>SEE ALSO</b>
       <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client
       <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
       <a href="postconf.5.html">postconf(5)</a>, configuration parameters
       <a href="master.5.html">master(5)</a>, generic daemon options
       <a href="master.8.html">master(8)</a>, process manager
       syslogd(8), system logging

<b>README FILES</b>
       <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation

<b>LICENSE</b>
       The Secure Mailer license must be  distributed  with  this
       software.

<b>AUTHOR(S)</b>
       Lutz Jaenicke
       BTU Cottbus
       Allgemeine Elektrotechnik
       Universitaetsplatz 3-4
       D-03044 Cottbus, Germany

       Adapted by:
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

                                                                     TLSMGR(8)
</pre> </body> </html>