1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
4
<meta name="generator" content="HTML Tidy, see www.w3.org">
5
<title>Postfix/TLS - Configuring main.cf and master.cf</title>
8
<h1>Postfix/TLS - Configuring main.cf and master.cf</h1>
10
To use the TLS extension you need to feed some information to
11
postfix. Please see also the <code>conf/sample-tls.cf</code> file.
13
<h2>main.cf: smtpd (server) specific variables</h2>
16
# To use TLS we do need a certificate and a private key. Both must be in
17
# "pem" format, the private key must not be encrypted, that does mean:
18
# it must be accessable without password. Both parts (certificate and
19
# private key) may be in the same file.
21
# Both RSA and DSA are certificates are supported. Typically you will only
22
# have RSA certificates issued by a commercial CA, also the tools supplied
23
# with OpenSSL will by default issue RSA certificates.
24
# You can have both at the same time, in this case the cipher used decides,
25
# which certificate is presented. For Netscape and OpenSSL clients without
26
# special cipher choices, the RSA certificate is preferred.
28
# In order to check the certificates, the CA-certificate (in case of a
29
# certificate chain, all CA-certificates) must be available.
30
# You should add these certificates to the server certificate, the server
31
# certificate first, then the issuing CA(s).
33
# Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
34
# which itself has a certificate of "root CA". Create the server.pem file by
35
# 'cat server_cert.pem intemediate_CA.pem root_CA.pem > server.pem'
37
# If you want to accept certificates issued by these CAs yourself, you can
38
# also add the CA-certificates to the smtpd_tls_CAfile, in which case it is
39
# not necessary to have them in the smtpd_tls_[d]cert_file.
41
# A certificate supplied here must be useable as SSL server certificate and
42
# hence pass the "openssl verify -purpose sslserver ..." test.
44
smtpd_tls_cert_file = /etc/postfix/server.pem
45
smtpd_tls_key_file = $smtpd_tls_cert_file
47
# Its DSA counterparts:
48
smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
49
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
51
# The certificate was issued by a certification authority (CA), the CA-cert
52
# of which must be available, if not in the certificate file.
53
# This file may also contain the the CA certificates of other trusted CAs.
54
# You must use this file for the list of trusted CAs if you want to use
55
# chroot-mode. No default is supplied for this value as of now.
57
# smtpd_tls_CAfile = /etc/postfix/CAcert.pem
59
# To verify the peer certificate, we need to know the certificates of
60
# certification authorities. These certificates in "pem" format are
61
# collected in a directory. The same CAs are offered to clients for
62
# client verification. Don't forget to create the necessary "hash"
63
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
64
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
65
# no default and you explicitly have to set the value here!
67
# To use this option in chroot mode, this directory itself or a copy of it
68
# must be inside the chroot jail. Please note also, that the CAs in this
69
# directory are not listed to the client, so that e.g. Netscape might not
70
# offer certificates issued by them.
72
# I therefore discourage the use of this option.
74
smtpd_tls_CApath = /etc/postfix/certs
76
# To get additional information during the TLS setup and negotiations
77
# you can increase the loglevel from 0..4:
78
# 0: No output about the TLS subsystem
79
# 1: Printout startup and certificate information
80
# 2: 1 + Printout of levels during negotiation
81
# 3: 2 + Hex and ASCII dump of negotiation process
82
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
83
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
86
# smtpd_tls_loglevel = 0
88
# To include information about the protocol and cipher used as well as the
89
# client and issuer CommonName into the "Received:" header, set the
90
# smtpd_tls_received_header variable to true. The default is no, as the
91
# information is not necessarily authentic. Only the final destination
92
# is reliable, since the headers might have been changed in between.
94
#smtpd_tls_received_header = yes
96
# By default TLS is disabled, so no difference to plain postfix is visible.
97
# Explicitely switch it on using "smtpd_use_tls". (Note: when invoked
98
# via "sendmail -bs", STARTTLS is never offered due to insufficient
99
# privileges to access the private key. This is intended behaviour.)
103
# You can ENFORCE the use of TLS, so that no commands (except QUIT of course)
104
# are allowed without TLS. According to RFC2487 this MUST NOT be applied
105
# in case of a publicly-referenced SMTP server. So this option is off
106
# by default and should only seldom be used. Using this option implies
107
# smtpd_use_tls = yes. (Note: when invoked via "sendmail -bs", STARTTLS
108
# is never offered due to insufficient privileges to access the private key.
109
# This is intended behaviour.)
111
# smtpd_enforce_tls = no
113
# Besides RFC2487 some clients, namely Outlook [Express] prefer to run the
114
# non-standard "wrapper" mode, not the STARTTLS enhancement to SMTP.
115
# This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port!=25
116
# and OE (5.01 Mac on all ports).
117
# It is strictly discouraged to use this mode from main.cf. If you want to
118
# support this service, enable a special port in master.cf. Port 465 (smtps)
119
# was once chosen for this feature.
121
# smtpd_tls_wrappermode = no
123
# To receive a client certificate, the server must explicitly ask for one.
124
# Hence netscape will either complain if no certificate is available (for
125
# the list of CAs in /etc/postfix/certs) or will offer you client certificates
126
# to choose from. This might be annoying, so this option is "off" by default.
127
# You will however need the certificate if you want to to e.g. certificate
130
# smtpd_tls_ask_ccert = no
132
# You may also decide to REQUIRE a client certificate to allow TLS connections.
133
# I don't think it will be necessary often, it is however included here for
134
# completeness. This option implies smtpd_tls_ask_ccert = yes
136
# Please be aware, that this will inhibit TLS connections without a proper
137
# certificate and only makes sense, when normal submission is disabled and
138
# TLS is enforced (smtpd_enforce_tls). Otherwise clients may bypass by simply
139
# not using STARTTLS at all. When TLS is not enforced, the connection will be
140
# handled, as if only smtpd_tls_ask_ccert = yes would be set and an information
143
# smtpd_tls_req_ccert = no
145
# The verification depth for client certificates. A depth of 1 is sufficient,
146
# if the certificate ist directly issued by a CA listed in the CA locations.
147
# The default value (5) should also suffice for longer chains (root CA issues
148
# special CA which then issues the actual certificate...)
150
# smtpd_tls_ccert_verifydepth = 5
152
# The server and client negotiate a session, which takes some computer time
153
# and network bandwidth. The session is cached only in the smtpd process
154
# actually using this session and is lost when the process dies.
155
# To share the session information between the smtpd processes, a disc based
156
# session cache can be used based on the SDBM databases (routines included
157
# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
160
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
162
# The cached sessions time out after a certain amount of time. For Postfix/TLS
163
# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
164
# (=1 hour). RFC2246 recommends a maximum of 24 hours.
166
# smtpd_tls_session_cache_timeout = 3600s
168
# Two additional options has been added for relay control to the UCE rules:
169
# permit_tls_clientcerts (a)
171
# permit_tls_all_clientcerts. (b)
173
# If one of these options is added to
174
# smtpd_recipient_restrictions,
175
# postfix will relay if
176
# (a) a valid (it passed the verification) client certificate is presented
177
# and its fingerprint is listed in the list of client certs
178
# (relay_clientcerts),
179
# (b) any valid (it passed the verification) client certificate is presented.
181
# Option (b) must only be used, if a special CA issues the certificates and
182
# only this CA is listed as trusted CA. If other CAs are trusted, any owner
183
# of a valid (SSL client)-certificate can relay. Option (b) can be practical
184
# for a specically created email relay. It is however recommended to stay with
185
# option (a) and list all certificates, as (b) does not permit any control
186
# when a certificate must no longer be used (e.g. an employee leaving).
188
# smtpd_recipient_restrictions = ... permit_tls_clientcerts ...
190
# The list of client certificates for which relaying will be allowed.
191
# Unfortunately the routines for lists in postfix use whitespaces as
192
# seperators and choke on special chars. So using the certificate
193
# X509ONELINES is quite impractical. We will use the fingerprints at
194
# this point, as they are difficult to fake but easy to use for lookup.
195
# As postmap (when using e.g. db) insists of having a pair of key and value,
196
# but we only need the key, the value can be chosen freely, e.g. the name
197
# of the user or host:
198
# D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
200
# relay_clientcerts = hash:/etc/postfix/relay_clientcerts
202
# To influence the cipher selection scheme, you can give cipherlist-string.
203
# A detailed description would go to far here, please refer to the openssl
205
# If you don't know what to do with it, simply don't touch it and leave the
206
# (openssl-)compiled in default!
208
# DO NOT USE " to enclose the string, just the string!!!
210
# smtpd_tls_cipherlist = DEFAULT
212
# If you want to take advantage of ciphers with EDH, DH parameters are needed.
213
# There are built in DH parameters for both 1025bit and 512bit available. It
214
# is however better to have "own" parameters, since otherwise it would "pay"
215
# for a possible attacker to start a brute force attack against these
216
# parameters commonly used by everybody. For this reason, the parameters
217
# chosen are already different from those distributed with other TLS packages.
219
# To generate your own set of parameters, use
220
# openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
221
# openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
222
# (your source for "entropy" might vary; on Linux there is /dev/random, on
223
# other system, you might consider the "Entropy Gathering Daemon EGD",
224
# available at http://www.lothar.com/tech/crypto/.
226
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
227
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
229
# The smtpd_starttls_timeout parameter limits the time in seconds to write and
230
# read operations during TLS start and stop handhake procedures.
232
# smtpd_starttls_timeout = 300s
235
<h2>main.cf: smtp (client) specific variables</h2>
238
# During the startup negotiation we might present a certificate to the server.
239
# Netscape is rather clever here and lets the user select between only those
240
# certs that will match the CAs accepted from the server. As I simply use
241
# the integrated "SSL_connect()" from the OpenSSL package, this is not
242
# possible by now and we have to chose just one cert.
243
# So for now the default is to use _no_ cert and key unless explictly
244
# set here. It is possible to use the same key/cert pair as for the server.
245
# If a cert is to be presented, it must be in "pem" format, the private key
246
# must not be encrypted, that does mean: it must be accessable without
247
# password. Both parts (certificate and private key) may be in the
250
# In order to check the certificates, the CA-certificate (in case of a
251
# certificate chain, all CA-certificates) must be available.
252
# You should add these certificates to the server certificate, the server
253
# certificate first, then the issuing CA(s).
255
# Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
256
# which itself has a certificate of "root CA". Create the client.pem file by
257
# 'cat client_cert.pem intemediate_CA.pem root_CA.pem > client.pem'
259
# If you want to accept certificates issued by these CAs yourself, you can
260
# also add the CA-certificates to the smtp_tls_CAfile, in which case it is
261
# not necessary to have them in the smtp_tls_[d]cert_file.
263
# A certificate supplied here must be useable as SSL client certificate and
264
# hence pass the "openssl verify -purpose sslclient ..." test.
266
smtp_tls_cert_file = /etc/postfix/client.pem
267
smtp_tls_key_file = $smtp_tls_cert_file
269
# The certificate was issued by a certification authority (CA), the CA-cert
270
# of which must be available, if not in the certificate file.
271
# This file may also contain the the CA certificates of other trusted CAs.
272
# You must use this file for the list of trusted CAs if you want to use
273
# chroot-mode. No default is supplied for this value as of now.
275
smtp_tls_CAfile = /etc/postfix/CAcert.pem
277
# To verify the peer certificate, we need to know the certificates of
278
# certification authorities. These certificates in "pem" format are
279
# collected in a directory. Don't forget to create the necessary "hash"
280
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
281
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
282
# no default and you explicitly have to set the value here!
284
# To use this option in chroot mode, this directory itself or a copy of it
285
# must be inside the chroot jail.
287
smtp_tls_CApath = /etc/postfix/certs
289
# To get additional information during the TLS setup and negotiations
290
# you can increase the loglevel from 0..4:
291
# 0: No output about the TLS subsystem
292
# 1: Printout startup and certificate information
293
# 2: 1 + Printout of levels during negotiation
294
# 3: 2 + Hex and ASCII dump of negotiation process
295
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
296
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
299
smtp_tls_loglevel = 0
301
# The server and client negotiate a session, which takes some computer time
302
# and network bandwidth. The session is cached only in the smtpd process
303
# actually using this session and is lost when the process dies.
304
# To share the session information between the smtp processes, a disc based
305
# session cache can be used based on the SDBM databases (routines included
306
# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
309
smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
311
# The cached sessions time out after a certain amount of time. For Postfix/TLS
312
# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
313
# (=1 hour). RFC2246 recommends a maximum of 24 hours.
315
# smtp_tls_session_cache_timeout = 3600s
317
# By default TLS is disabled, so no difference to plain postfix is visible.
318
# If you enable TLS it will be used when offered by the server.
319
# WARNING: I didn't have access to other software (except those explicitely
320
# listed) to test the interaction. On corresponding mailing list
321
# there was a discussion going on about MS exchange servers offering
322
# STARTTLS even if it is not configured, so it might be wise to not
323
# use this option on your central mail hub, as you don't know in advance
324
# whether you are going to hit such host. Use the recipient/site specific
326
# HINT: I have it switched on on my mailservers and did experience one
327
# single failure since client side TLS is implemented. (There was one
328
# misconfired MS Exchange server; I contacted ths admin.) Hence, I am happy
329
# with it running all the time, but I am interested in testing anyway.
330
# You have been warned, however :-)
332
# In case of failure, a "4xx" code is issued and the mail stays in the queue.
334
# Explicitely switch it on here, if you want it.
338
# You can ENFORCE the use of TLS, so that only connections with TLS will
339
# be accepted. Additionally, the hostname of the receiving host is matched
340
# against the CommonName in the certificate. Also, the certificate must
341
# be verified "Ok", so that a CA trusted by the client must have issued
342
# the certificate. If the certificate doesn't verify or the hostname doesn't
343
# match, a "4xx" will be issued and the mail stays in the queue.
344
# The hostname used in the check is beyond question, as it must be the
345
# principle hostname (no CNAME allowed here). Checks are performed against
346
# all names provided as dNSNames in the SubjectAlternativeName. If no
347
# dNSNames are specified, the CommonName is checked.
348
# The behaviour may be changed with the smtp_tls_enforce_peername option
350
# This option is useful only if you are definitely sure that you will only
351
# connect to servers supporting RFC2487 _and_ with valid certificates.
352
# I use it for my clients which will only send email to one mailhub, which
353
# does offer the necessary STARTTLS support.
355
# smtp_enforce_tls = no
357
# As of RFC2487 the requirements for hostname checking for MTA clients are
358
# not set. When in smtp_enforce_tls mode, the option smtp_tls_enforce_peername
359
# can be set to "no" to disable strict peername checking. In this case, the
360
# mail delivery will be continued, if a TLS connection was established
361
# _and_ the peer certificate passed verification _but_ regardless of the
362
# CommonName listed in the certificate. This option only applies to the
363
# default setting smtp_enforce_tls_mode, special settings in the
364
# smtp_tls_per_site table override smtp_tls_enforce_peername.
366
# This can make sense in closed environment where special CAs are created.
367
# If not used carefully, this option opens the danger of a "man-in-the-middle"
368
# attack (the CommonName of this attacker is logged).
370
# smtp_tls_enforce_peername = yes
372
# As generally trying TLS can be a bad idea (some hosts offer STARTTLS but
373
# the negotiation will fail leading to unexplainable failures, it may be
374
# a good idea to decide based on the recipient or the mailhub to which you are
377
# Deciding per recipient may be difficult, since a singe email can have
378
# several recipients. We use the "nexthop" mechanism inside postfix.
379
# When an email is to be delivered, the "nexthop" is obtained. If it matches
380
# an entry in the smtp_tls_per_site list, appropriate action is taken.
381
# Since entries in the transport table or the use of a relay_host override
382
# the nexthop setting, in these cases the relay_host etc must be listed
383
# in the table. In any case, the hostname of the peer to be contacted is
384
# looked up (that is: the MX or the name of the host, if no MX is given).
386
# Special hint for enforcement mode:
387
# Since there is no secure mechanism for DNS lookups available, the
388
# recommended setup is: put the sensible domains with their mailhost
389
# into the transport table (since you can asure security of this table
390
# unlike DNS), then set MUST mode for this mailhost.
392
# Format of the table:
393
# The keys entries are on the left hand side, no wildcards allowed. On the
394
# right hand side the keywords NONE (don't use TLS at all), MAY (try to use
395
# STARTTLS if offered, no problem if not), MUST (enforce usage of STARTTLS,
396
# check server certificate CommonName against server FQDN), MUST_NOPEERMATCH
397
# (enforce usage of STARTTLS and verify certificate, but ignore differences
398
# between CommonName and server FQDN).
401
# important.host MUST
402
# some.host.dom.ain MUST_NOPEERMATCH
404
# If an entry is not matched, the default policy is applied; if the default
405
# policy is "enforce", NONE explicitely switches it off, otherwise the
406
# "enforce" mode is used even for MAY entries.
408
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
410
# The verification depth for server certificates. A depth of 1 is sufficient,
411
# if the certificate ist directly issued by a CA listed in the CA locations.
412
# The default value (5) should also suffice for longer chains (root CA issues
413
# special CA which then issues the actual certificate...)
415
# smtp_tls_scert_verifydepth = 5
417
# As we decide on a "per site" basis, wether to use TLS or not, it would be
418
# good to have a list of sites, that offered "STARTTLS'. We can collect it
419
# ourselves with this option.
421
# If activated and TLS is not already enabled for this host, a line is added
423
# postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
425
smtp_tls_note_starttls_offer = yes
427
# To influence the cipher selection scheme, you can give cipherlist-string.
428
# A detailed description would go to far here, please refer to the openssl
430
# If you don't know what to do with it, simply don't touch it and leave the
431
# (openssl-)compiled in default!
433
# DO NOT USE " to enclose the string, just the string!!!
435
# smtp_tls_cipherlist = DEFAULT
437
# The smtp_starttls_timeout parameter limits the time in seconds to write and
438
# read operations during TLS start and stop handhake procedures.
440
# In case of problems the client does NOT try the next address on
441
# the mail exchanger list.
443
# smtp_starttls_timeout = 300s
446
<h2>SASL related variables</h2>
449
# The smtpd_sasl_tls_security_options parameter controls what authentication
450
# mechanism the Postfix SMTP server will offer to the client, in case the
451
# connection is protected by a TLS encrypted session.
452
# This parameter allows to provide for example plaintext authentication that
453
# otherwise would not be allowed without encryption.
454
# The default is to use the same settings as in the unencrypted case.
456
# Warning: this option only works against passive (eavesdropping) attackes.
457
# An active attacker (man in the middle) may modify the AUTH options offered
458
# and/or remove the STARTTLS offer from the EHLO response. Protection against
459
# active attackers is only possible by enforcing TLS at the client side.
461
#smtpd_sasl_tls_security_options = noanonymous
462
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
464
# Sending AUTH data over an unencrypted channel poses a security risk. When
465
# smtpd_tls_enforce_tls is set, AUTH will only be announced and accepted,
466
# once the TLS layer has been activated via the STARTTLS protocol. If
467
# TLS layer encryption is optional, it may however still be useful to only
468
# offer AUTH, if TLS is active. To not break compatiblity with unpatched
469
# postfix versions, the default is to accept AUTH without encryption. In
470
# order to change this behaviour, set smtpd_tls_auth_only = yes.
471
# THIS OPTION ONLY WORKS WITH SSL/TLS SUPPORT COMPILED IN.
473
#smtpd_tls_auth_only = yes
474
smtpd_tls_auth_only = no
476
# The smtp_sasl_tls_security_options parameter controls, what authentication
477
# mechanisms the local Postfix SMTP client is allowed to use, if the session
478
# is encrypted via TLS. This provides the option to permit plaintext passwords
479
# that otherwise could not be used.
481
# The settings allowed are the same as for the non-encrypted sessions
482
# (smtp_sasl_security_options).
484
# Warning, Warning, Warning: This option only works against passive
485
# (eavesdropping) attacks. An active attacker (man in the middle) may provide
486
# a TLS capabable server (proxy) and in such way obtain the password
487
# information. The only way to prevent a man in the middle attack is to check
488
# the hostname of the server presented in the certificate. This is assured
489
# in the (preferrably used) smtp_sasl_tls_verified_security_options case.
491
#smtp_sasl_tls_security_options =
492
smtp_sasl_tls_security_options = $smtp_sasl_security_options
494
# The smtp_sasl_tls_verified_security_options parameter controls, what
495
# authentication mechanisms the local Postfix SMTP client is allowed to use,
496
# if the session is encrypted via TLS _and_ the server has proven its
497
# identity (expected hostname matches certificate, verification successfull).
498
# This provides the option to permit plaintext passwords that otherwise could
501
# The settings allowed are the same as for the non-encrypted sessions
502
# (smtp_sasl_security_options).
504
#smtp_sasl_tls_verified_security_options =
505
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
508
<h2>main.cf: general variables</h2>
511
# In order to seed the PRNG Pseude Random Number Generator, random data is
512
# needed. The PRNG pool is maintained by the "tlsmgr" daemon and is used
513
# (read) by the smtp[d] processes after adding some more entropy by stirring
514
# in time and process id.
515
# The file, which is from time to time rewritten by the tlsmgr, is created
516
# if not existant. A default value is given; the default should probably
517
# be on the /var partition but _not_ inside chroot jail.
519
# tls_random_exchange_name = /etc/postfix/prng_exch
521
# To feed the PRNG pool, entropy is being read from an external source,
522
# both at startup and during run.
523
# Specify a good entropy source here, like EGD or /dev/urandom; make sure
524
# to only use non-blocking sources.
525
# In both cases, 32 bytes are read at each re-seeding event (which is an
526
# amount of 256bits and hence good enough for 128bit symmetric keys).
527
# You must specify the type of source: "dev:" for a device special file
528
# or "egd:" for a source with EGD compatible socket interface. A maximum
529
# 255 bytes is read from these sources in each step.
530
# If you specify a normal file, a larger amount of data can be read.
532
# The entropy source is queried again after a certain amount of time. The
533
# time is calculated using the PRNG, it is between 0 and the time specified,
534
# default is a maximum of 1 hour.
536
# tls_random_source = dev:/dev/urandom
537
tls_random_source = egd:/var/run/egd-pool
538
# tls_random_bytes = 32
539
# tls_random_reseed_period = 3600s
541
# The PRNG pool inside tlsmgr is used to re-generate the 1024 byte file
542
# being read by smtp[d]. The time, after which the exchange file is
543
# rewritten is calculated using the PRNG, it is between 0 and the time
544
# specified, default is a maximum of 60 seconds.
546
# tls_random_upd_period = 60s
548
# If you have a entropy source available, that is not easily drained (like
549
# /dev/urandom), the daemons can also load additional entropy on startup from
550
# the source specified. By default an amount of 32 bytes is read, the
551
# equivalent to 256 bits. This is more than enough to generate a 128bit
552
# (or 168bit) session key, but we may have to generate more than one.
553
# Usage of this option may drain EGD (consider the case of 50 smtp starting
554
# up with a full queue and "postfix start", which will request 1600bytes
555
# of entropy). This is however not fatal, as long as "entropy" data could
556
# be read from the exchange file.
558
# tls_daemon_random_source = dev:/dev/urandom
559
tls_daemon_random_source = egd:/var/run/egd-pool
560
# tls_daemon_random_bytes = 32
563
<h2>master.cf: tlsmgr daemon</h2>
565
If you don't have a /dev/urandom device and/or use session caching,
566
you must run the "tlsmgr" daemon (see conf/master.cf). The tlsmgr
567
will contact entropy sources on startup and keep the connection open,
568
so that it can be chrooted and can drop privileges.
571
# ==========================================================================
572
# service type private unpriv chroot wakeup maxproc command + args
573
# (yes) (yes) (yes) (never) (50)
574
# ==========================================================================
575
tlsmgr fifo - - y 300 1 tlsmgr
578
<h2>master.cf: additional services</h2>
580
It can be useful to have postfix listen on additional ports, namely
581
"submission"=587 for email submission as defined in RFC2476; this
582
is especially useful if you want to allow AUTH with plaintext
583
passwords (PLAIN, LOGIN) and hence run on a port with encryption
584
enforcement. Another useful port may be "smtps"=465 which was
585
intended with TLS-wrapping and is still used by Outlook (Express).
587
<p>Both example entries already contain the flags to enable SASL
588
authentication (which may be disabled on the normal port). Since
589
the actual service names are used, smtps and submission must be
590
defined in /etc/services (and probably also in
591
/var/spool/postfix/etc/services if chrooted)!!! (Use the port
592
numbers otherwise.)</p>
595
# ==========================================================================
596
# service type private unpriv chroot wakeup maxproc command + args
597
# (yes) (yes) (yes) (never) (50)
598
# ==========================================================================
599
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
600
submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes