11
\fBtlsproxy\fR [generic Postfix daemon options]
15
The \fBtlsproxy\fR(8) server implements a server-side TLS
16
proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS
17
with remote SMTP clients whose whitelist status has expired,
18
but it should also work for non-SMTP protocols.
20
Although one \fBtlsproxy\fR(8) process can serve multiple
21
sessions at the same time, it is a good idea to allow the
22
number of processes to increase with load, so that the
23
service remains responsive.
24
.SH "PROTOCOL EXAMPLE"
29
The example below concerns \fBpostscreen\fR(8). However,
30
the \fBtlsproxy\fR(8) server is agnostic of the application
31
protocol, and the example is easily adapted to other
34
The \fBpostscreen\fR(8) server sends the remote SMTP client
35
endpoint string, the requested role (server), and the
36
requested timeout to \fBtlsproxy\fR(8). \fBpostscreen\fR(8)
37
then receives a "TLS available" indication from \fBtlsproxy\fR(8).
38
If the TLS service is available, \fBpostscreen\fR(8) sends
39
the remote SMTP client file descriptor to \fBtlsproxy\fR(8),
40
and sends the plaintext 220 greeting to the remote SMTP
41
client. This triggers TLS negotiations between the remote
42
SMTP client and \fBtlsproxy\fR(8). Upon completion of the
43
TLS-level handshake, \fBtlsproxy\fR(8) translates between
44
plaintext from/to \fBpostscreen\fR(8) and ciphertext to/from
45
the remote SMTP client.
51
The \fBtlsproxy\fR(8) server is moderately security-sensitive.
52
It talks to untrusted clients on the network. The process
53
can be run chrooted at fixed low privilege.
57
Problems and transactions are logged to \fBsyslogd\fR(8).
58
.SH "CONFIGURATION PARAMETERS"
63
Changes to \fBmain.cf\fR are not picked up automatically,
64
as \fBtlsproxy\fR(8) processes may run for a long time
65
depending on mail server load. Use the command "\fBpostfix
66
reload\fR" to speed up a change.
68
The text below provides only a parameter summary. See
69
\fBpostconf\fR(5) for more details including examples.
70
.SH "STARTTLS SUPPORT CONTROLS"
75
.IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
76
A file containing (PEM format) CA certificates of root CAs
77
trusted to sign either remote SMTP client certificates or intermediate
79
.IP "\fBtlsproxy_tls_CApath ($smtpd_tls_CApath)\fR"
80
A directory containing (PEM format) CA certificates of root CAs
81
trusted to sign either remote SMTP client certificates or intermediate
83
.IP "\fBtlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_session_ids)\fR"
84
Force the Postfix \fBtlsproxy\fR(8) server to issue a TLS session id,
85
even when TLS session caching is turned off.
86
.IP "\fBtlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert)\fR"
87
Ask a remote SMTP client for a client certificate.
88
.IP "\fBtlsproxy_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)\fR"
89
The verification depth for remote SMTP client certificates.
90
.IP "\fBtlsproxy_tls_cert_file ($smtpd_tls_cert_file)\fR"
91
File with the Postfix \fBtlsproxy\fR(8) server RSA certificate in PEM
93
.IP "\fBtlsproxy_tls_ciphers ($smtpd_tls_ciphers)\fR"
94
The minimum TLS cipher grade that the Postfix \fBtlsproxy\fR(8) server
95
will use with opportunistic TLS encryption.
96
.IP "\fBtlsproxy_tls_dcert_file ($smtpd_tls_dcert_file)\fR"
97
File with the Postfix \fBtlsproxy\fR(8) server DSA certificate in PEM
99
.IP "\fBtlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)\fR"
100
File with DH parameters that the Postfix \fBtlsproxy\fR(8) server
101
should use with EDH ciphers.
102
.IP "\fBtlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file)\fR"
103
File with DH parameters that the Postfix \fBtlsproxy\fR(8) server
104
should use with EDH ciphers.
105
.IP "\fBtlsproxy_tls_dkey_file ($smtpd_tls_dkey_file)\fR"
106
File with the Postfix \fBtlsproxy\fR(8) server DSA private key in PEM
108
.IP "\fBtlsproxy_tls_eccert_file ($smtpd_tls_eccert_file)\fR"
109
File with the Postfix \fBtlsproxy\fR(8) server ECDSA certificate in
111
.IP "\fBtlsproxy_tls_eckey_file ($smtpd_tls_eckey_file)\fR"
112
File with the Postfix \fBtlsproxy\fR(8) server ECDSA private key in
114
.IP "\fBtlsproxy_tls_eecdh_grade ($smtpd_tls_eecdh_grade)\fR"
115
The Postfix \fBtlsproxy\fR(8) server security grade for ephemeral
116
elliptic-curve Diffie-Hellman (EECDH) key exchange.
117
.IP "\fBtlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)\fR"
118
List of ciphers or cipher types to exclude from the \fBtlsproxy\fR(8)
119
server cipher list at all TLS security levels.
120
.IP "\fBtlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)\fR"
121
The message digest algorithm used to construct client-certificate
123
.IP "\fBtlsproxy_tls_key_file ($smtpd_tls_key_file)\fR"
124
File with the Postfix \fBtlsproxy\fR(8) server RSA private key in PEM
126
.IP "\fBtlsproxy_tls_loglevel ($smtpd_tls_loglevel)\fR"
127
Enable additional Postfix \fBtlsproxy\fR(8) server logging of TLS
129
.IP "\fBtlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)\fR"
130
The minimum TLS cipher grade that the Postfix \fBtlsproxy\fR(8) server
131
will use with mandatory TLS encryption.
132
.IP "\fBtlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_exclude_ciphers)\fR"
133
Additional list of ciphers or cipher types to exclude from the
134
\fBtlsproxy\fR(8) server cipher list at mandatory TLS security levels.
135
.IP "\fBtlsproxy_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols)\fR"
136
The SSL/TLS protocols accepted by the Postfix \fBtlsproxy\fR(8) server
137
with mandatory TLS encryption.
138
.IP "\fBtlsproxy_tls_protocols ($smtpd_tls_protocols)\fR"
139
List of TLS protocols that the Postfix \fBtlsproxy\fR(8) server will
140
exclude or include with opportunistic TLS encryption.
141
.IP "\fBtlsproxy_tls_req_ccert ($smtpd_tls_req_ccert)\fR"
142
With mandatory TLS encryption, require a trusted remote SMTP
143
client certificate in order to allow TLS connections to proceed.
144
.IP "\fBtlsproxy_tls_security_level ($smtpd_tls_security_level)\fR"
145
The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
146
when a non-empty value is specified, this overrides the obsolete
147
parameters smtpd_use_tls and smtpd_enforce_tls.
148
.IP "\fBtlsproxy_tls_session_cache_timeout ($smtpd_tls_session_cache_timeout)\fR"
149
The expiration time of Postfix \fBtlsproxy\fR(8) server TLS session
151
.SH "OBSOLETE STARTTLS SUPPORT CONTROLS"
156
These parameters are supported for compatibility with
157
\fBsmtpd\fR(8) legacy parameters.
158
.IP "\fBtlsproxy_use_tls ($smtpd_use_tls)\fR"
159
Opportunistic TLS: announce STARTTLS support to SMTP clients,
160
but do not require that clients use TLS encryption.
161
.IP "\fBtlsproxy_enforce_tls ($smtpd_enforce_tls)\fR"
162
Mandatory TLS: announce STARTTLS support to SMTP clients, and
163
require that clients use TLS encryption.
164
.SH "RESOURCE CONTROLS"
169
.IP "\fBtlsproxy_watchdog_timeout (10s)\fR"
170
How much time a \fBtlsproxy\fR(8) process may take to process local
171
or remote I/O before it is terminated by a built-in watchdog timer.
172
.SH "MISCELLANEOUS CONTROLS"
177
.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
178
The default location of the Postfix main.cf and master.cf
180
.IP "\fBprocess_id (read-only)\fR"
181
The process ID of a Postfix command or daemon process.
182
.IP "\fBprocess_name (read-only)\fR"
183
The process name of a Postfix command or daemon process.
184
.IP "\fBsyslog_facility (mail)\fR"
185
The syslog facility of Postfix logging.
186
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
187
The mail system name that is prepended to the process name in syslog
188
records, so that "smtpd" becomes, for example, "postfix/smtpd".
192
postscreen(8), Postfix zombie blocker
193
smtpd(8), Postfix SMTP server
194
postconf(5), configuration parameters
195
syslogd(5), system logging
201
The Secure Mailer license must be distributed with this software.
207
This service was introduced with Postfix version 2.8.
212
IBM T.J. Watson Research
214
Yorktown Heights, NY 10598, USA
added
removed
man/man8/tlsproxy.8
