1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 6<title> Postfix manual - tlsmgr(8) </title> 7</head> <body> <pre> 8TLSMGR(8) TLSMGR(8) 9 10<b>NAME</b> 11 tlsmgr - Postfix TLS session cache and PRNG manager 12 13<b>SYNOPSIS</b> 14 <b>tlsmgr</b> [generic Postfix daemon options] 15 16<b>DESCRIPTION</b> 17 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and 18 retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes, 19 and periodically removes entries that have expired. 20 21 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator) 22 pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed 23 their internal PRNG pools. 24 25 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source 26 (EGD, /dev/urandom, or regular file). It is updated at configurable 27 pseudo-random intervals with data from the external source. It is 28 updated periodically with data from TLS session cache entries and with 29 the time of day, and is updated with the time of day whenever a process 30 requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service. 31 32 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and 33 when the process terminates, and reads the exchange file when initial- 34 izing its PRNG. 35 36<b>SECURITY</b> 37 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the 38 external and internal PRNG pools does not "trust" the data that it 39 manipulates, and the code that maintains the TLS session cache does not 40 touch the contents of the cached entries, except for seeding its inter- 41 nal PRNG pool. 42 43 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privileges. At 44 process startup it connects to the entropy source and exchange file, 45 and creates or truncates the optional TLS session cache files. 46 47 With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no longer uses root 48 privileges when opening cache files. These files should now be stored 49 under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt 50 to open a cache file under a non-Postfix directory is redirected to the 51 Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged. 52 53<b>DIAGNOSTICS</b> 54 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 55 56<b>BUGS</b> 57 There is no automatic means to limit the number of entries in the TLS 58 session caches and/or the size of the TLS cache files. 59 60<b>CONFIGURATION PARAMETERS</b> 61 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 62 is a persistent processes. Use the command "<b>postfix reload</b>" after a 63 configuration change. 64 65 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 66 more details including examples. 67 68<b>TLS SESSION CACHE</b> 69 <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b> 70 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration 71 parameter. 72 73 <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b> 74 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> 75 configuration parameter. 76 77 <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b> 78 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> 79 configuration parameter. 80 81 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 82 Enable additional Postfix SMTP client logging of TLS activity. 83 84 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 85 Name of the file containing the optional Postfix SMTP client TLS 86 session cache. 87 88 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 89 The expiration time of Postfix SMTP client TLS session cache 90 information. 91 92 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> 93 Enable additional Postfix SMTP server logging of TLS activity. 94 95 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> 96 Name of the file containing the optional Postfix SMTP server TLS 97 session cache. 98 99 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> 100 The expiration time of Postfix SMTP server TLS session cache 101 information. 102 103<b>PSEUDO RANDOM NUMBER GENERATOR</b> 104 <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b> 105 The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo 106 random number generator (PRNG) pool. 107 108 <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b> 109 The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a> 110 when (re)seeding the in-memory pseudo random number generator 111 (PRNG) pool. 112 113 <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b> 114 Name of the pseudo random number generator (PRNG) state file 115 that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>. 116 117 <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b> 118 The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the 119 pseudo random number generator (PRNG) to the file specified with 120 $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>. 121 122 <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b> 123 The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the 124 in-memory pseudo random number generator (PRNG) pool from exter- 125 nal sources. 126 127<b>MISCELLANEOUS CONTROLS</b> 128 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 129 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 130 figuration files. 131 132 <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b> 133 The directory with Postfix-writable data files (for example: 134 caches, pseudo-random numbers). 135 136 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 137 How much time a Postfix daemon process may take to handle a 138 request before it is terminated by a built-in watchdog timer. 139 140 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 141 The process ID of a Postfix command or daemon process. 142 143 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 144 The process name of a Postfix command or daemon process. 145 146 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 147 The syslog facility of Postfix logging. 148 149 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 150 A prefix that is prepended to the process name in syslog 151 records, so that, for example, "smtpd" becomes "prefix/smtpd". 152 153 Available in Postfix 3.3 and later: 154 155 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 156 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 157 158<b>SEE ALSO</b> 159 <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client 160 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 161 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 162 <a href="master.5.html">master(5)</a>, generic daemon options 163 <a href="master.8.html">master(8)</a>, process manager 164 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 165 syslogd(8), system logging 166 167<b>README FILES</b> 168 <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation 169 170<b>LICENSE</b> 171 The Secure Mailer license must be distributed with this software. 172 173<b>HISTORY</b> 174 This service was introduced with Postfix version 2.2. 175 176<b>AUTHOR(S)</b> 177 Lutz Jaenicke 178 BTU Cottbus 179 Allgemeine Elektrotechnik 180 Universitaetsplatz 3-4 181 D-03044 Cottbus, Germany 182 183 Adapted by: 184 Wietse Venema 185 IBM T.J. Watson Research 186 P.O. Box 704 187 Yorktown Heights, NY 10598, USA 188 189 Wietse Venema 190 Google, Inc. 191 111 8th Avenue 192 New York, NY 10011, USA 193 194 TLSMGR(8) 195</pre> </body> </html> 196