1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 6<title> Postfix manual - tlsproxy(8) </title> 7</head> <body> <pre> 8TLSPROXY(8) TLSPROXY(8) 9 10<b>NAME</b> 11 tlsproxy - Postfix TLS proxy 12 13<b>SYNOPSIS</b> 14 <b>tlsproxy</b> [generic Postfix daemon options] 15 16<b>DESCRIPTION</b> 17 The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server implements a two-way TLS proxy. It is used by 18 the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server to talk SMTP-over-TLS with remote SMTP clients 19 that are not allowlisted (including clients whose allowlist status has 20 expired), and by the <a href="smtp.8.html"><b>smtp</b>(8)</a> client to support TLS connection reuse, 21 but it should also work for non-SMTP protocols. 22 23 Although one <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve multiple sessions at the 24 same time, it is a good idea to allow the number of processes to 25 increase with load, so that the service remains responsive. 26 27<b>PROTOCOL EXAMPLE</b> 28 The example below concerns <a href="postscreen.8.html"><b>postscreen</b>(8)</a>. However, the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 29 server is agnostic of the application protocol, and the example is eas- 30 ily adapted to other applications. 31 32 After receiving a valid remote SMTP client STARTTLS command, the 33 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server sends the remote SMTP client endpoint string, the 34 requested role (server), and the requested timeout to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. 35 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> then receives a "TLS available" indication from 36 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. If the TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends the 37 remote SMTP client file descriptor to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>, and sends the plain- 38 text 220 greeting to the remote SMTP client. This triggers TLS negoti- 39 ations between the remote SMTP client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. Upon completion 40 of the TLS-level handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between plaintext 41 from/to <a href="postscreen.8.html"><b>postscreen</b>(8)</a> and ciphertext to/from the remote SMTP client. 42 43<b>SECURITY</b> 44 The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is moderately security-sensitive. It talks to 45 untrusted clients on the network. The process can be run chrooted at 46 fixed low privilege. 47 48<b>DIAGNOSTICS</b> 49 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 50 51<b>CONFIGURATION PARAMETERS</b> 52 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, as <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> pro- 53 cesses may run for a long time depending on mail server load. Use the 54 command "<b>postfix reload</b>" to speed up a change. 55 56 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 57 more details including examples. 58 59<b>STARTTLS GLOBAL CONTROLS</b> 60 The following settings are global and therefore cannot be overruled by 61 information specified in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request. 62 63 <b><a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> (no)</b> 64 Append the system-supplied default Certification Authority cer- 65 tificates to the ones specified with *_tls_CApath or 66 *_tls_CAfile. 67 68 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 69 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> 70 process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its 71 internal pseudo random number generator (PRNG). 72 73 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b> 74 The OpenSSL cipherlist for "high" grade ciphers. 75 76 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b> 77 The OpenSSL cipherlist for "medium" or higher grade ciphers. 78 79 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 80 The OpenSSL cipherlist for "NULL" grade ciphers that provide 81 authentication without encryption. 82 83 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b> 84 The elliptic curve used by the Postfix SMTP server for sensibly 85 strong ephemeral ECDH key exchange. 86 87 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b> 88 The elliptic curve used by the Postfix SMTP server for maximally 89 strong ephemeral ECDH key exchange. 90 91 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 92 List or bit-mask of OpenSSL bug work-arounds to disable. 93 94 <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b> 95 With SSLv3 and later, use the Postfix SMTP server's cipher pref- 96 erence order instead of the remote client's cipher preference 97 order. 98 99 Available in Postfix version 2.8..3.7: 100 101 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b> 102 The OpenSSL cipherlist for "low" or higher grade ciphers. 103 104 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b> 105 The OpenSSL cipherlist for "export" or higher grade ciphers. 106 107 Available in Postfix version 2.9 and later: 108 109 <b><a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> (no)</b> 110 A temporary migration aid for sites that use certificate <i>pub-</i> 111 <i>lic-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use an 112 incorrect algorithm. 113 114 Available in Postfix version 2.11-3.1: 115 116 <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b> 117 Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility. 118 119 <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b> 120 Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain 121 digests of trust-anchors with certificate usage "2". 122 123 Available in Postfix version 2.11 and later: 124 125 <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b> 126 The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 127 128 Available in Postfix version 3.0 and later: 129 130 <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> ><b>= 3.0: aes-256-cbc, Postfix</b> < <b>3.0:</b> 131 <b>aes-128-cbc)</b> 132 Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets. 133 134 <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b> 135 The location of the OpenSSL command line program <b>openssl</b>(1). 136 137 Available in Postfix version 3.2 and later: 138 139 <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b> 140 The prioritized list of elliptic curves supported by the Postfix 141 SMTP client and server. 142 143 Available in Postfix version 3.4 and later: 144 145 <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b> 146 Optional lookup tables that map names received from remote SMTP 147 clients via the TLS Server Name Indication (SNI) extension to 148 the appropriate keys and certificate chains. 149 150 Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: 151 152 <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b> 153 A workaround for implementations that hang Postfix while shut- 154 ting down a TLS session, until Postfix times out. 155 156 Available in Postfix version 3.8 and later: 157 158 <b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b> 159 The prioritized list of finite-field Diffie-Hellman ephemeral 160 (FFDHE) key exchange groups supported by the Postfix SMTP client 161 and server. 162 163 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: 164 165 <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> 166 Optional configuration file with baseline OpenSSL settings. 167 168 <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> 169 The application name passed by Postfix to OpenSSL library ini- 170 tialization functions. 171 172<b>STARTTLS SERVER CONTROLS</b> 173 These settings are clones of Postfix SMTP server settings. They allow 174 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as 175 the Postfix SMTP server, before dropping privileges, so that the key 176 files can be kept read-only for root. These settings can currently not 177 be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that 178 limitation may be removed in a future version. 179 180 <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b> 181 A file containing (PEM format) CA certificates of root CAs 182 trusted to sign either remote SMTP client certificates or inter- 183 mediate CA certificates. 184 185 <b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b> 186 A directory containing (PEM format) CA certificates of root CAs 187 trusted to sign either remote SMTP client certificates or inter- 188 mediate CA certificates. 189 190 <b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a> ($<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_ses</a>-</b> 191 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">sion_ids</a>)</b> 192 Force the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session id, 193 even when TLS session caching is turned off. 194 195 <b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b> 196 Ask a remote SMTP client for a client certificate. 197 198 <b><a href="postconf.5.html#tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a> ($<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>)</b> 199 The verification depth for remote SMTP client certificates. 200 201 <b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> 202 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in PEM 203 format. 204 205 <b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b> 206 The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 207 will use with opportunistic TLS encryption. 208 209 <b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> 210 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in PEM 211 format. 212 213 <b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b> 214 File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 215 should use with non-export EDH ciphers. 216 217 <b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b> 218 File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 219 should use with export-grade EDH ciphers. 220 221 <b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b> 222 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in PEM 223 format. 224 225 <b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b> 226 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA certificate in 227 PEM format. 228 229 <b><a href="postconf.5.html#tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b> 230 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA private key in 231 PEM format. 232 233 <b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b> 234 The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for ephemeral 235 elliptic-curve Diffie-Hellman (EECDH) key exchange. 236 237 <b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b> 238 List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 239 server cipher list at all TLS security levels. 240 241 <b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a> ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b> 242 The message digest algorithm to construct remote SMTP 243 client-certificate fingerprints. 244 245 <b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b> 246 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in PEM 247 format. 248 249 <b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b> 250 Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server logging of TLS 251 activity. 252 253 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b> 254 The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 255 will use with mandatory TLS encryption. 256 257 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b> 258 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b> 259 Additional list of ciphers or cipher types to exclude from the 260 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at mandatory TLS security levels. 261 262 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b> 263 The SSL/TLS protocols accepted by the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 264 with mandatory TLS encryption. 265 266 <b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b> 267 List of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will 268 exclude or include with opportunistic TLS encryption. 269 270 <b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b> 271 With mandatory TLS encryption, require a trusted remote SMTP 272 client certificate in order to allow TLS connections to proceed. 273 274 <b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> 275 The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; 276 when a non-empty value is specified, this overrides the obsolete 277 parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. 278 279 <b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b> 280 Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate 281 chains in PEM format. 282 283<b>STARTTLS CLIENT CONTROLS</b> 284 These settings are clones of Postfix SMTP client settings. They allow 285 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as 286 the Postfix SMTP client, before dropping privileges, so that the key 287 files can be kept read-only for root. Some settings may be overruled by 288 information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request. 289 290 Available in Postfix version 3.4 and later: 291 292 <b><a href="postconf.5.html#tlsproxy_client_CAfile">tlsproxy_client_CAfile</a> ($<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b> 293 A file containing CA certificates of root CAs trusted to sign 294 either remote TLS server certificates or intermediate CA cer- 295 tificates. 296 297 <b><a href="postconf.5.html#tlsproxy_client_CApath">tlsproxy_client_CApath</a> ($<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b> 298 Directory with PEM format Certification Authority certificates 299 that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS 300 server certificate. 301 302 <b><a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a> ($<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>)</b> 303 Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client keys and certificate 304 chains in PEM format. 305 306 <b><a href="postconf.5.html#tlsproxy_client_cert_file">tlsproxy_client_cert_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 307 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in PEM 308 format. 309 310 <b><a href="postconf.5.html#tlsproxy_client_key_file">tlsproxy_client_key_file</a> ($<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b> 311 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM 312 format. 313 314 <b><a href="postconf.5.html#tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 315 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in PEM 316 format. 317 318 <b><a href="postconf.5.html#tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b> 319 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM 320 format. 321 322 <b><a href="postconf.5.html#tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 323 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA certificate in 324 PEM format. 325 326 <b><a href="postconf.5.html#tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b> 327 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in 328 PEM format. 329 330 <b><a href="postconf.5.html#tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a> ($<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b> 331 The message digest algorithm used to construct remote TLS server 332 certificate fingerprints. 333 334 <b><a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> ($<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> 335 Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client logging of TLS 336 activity. 337 338 <b><a href="postconf.5.html#tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a> (<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> 339 The name of the parameter that provides the 340 <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> value. 341 342 <b><a href="postconf.5.html#tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a> ($<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b> 343 The verification depth for remote TLS server certificates. 344 345 <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> 346 Opportunistic mode: use TLS when a remote server announces TLS 347 support. 348 349 <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> 350 Enforcement mode: require that SMTP servers use TLS encryption. 351 352 <b><a href="postconf.5.html#tlsproxy_client_per_site">tlsproxy_client_per_site</a> ($<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b> 353 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 354 usage policy by next-hop destination and by remote TLS server 355 hostname. 356 357 Available in Postfix version 3.4-3.6: 358 359 <b><a href="postconf.5.html#tlsproxy_client_level">tlsproxy_client_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> 360 The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 361 client. 362 363 <b><a href="postconf.5.html#tlsproxy_client_policy">tlsproxy_client_policy</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> 364 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 365 security policy by next-hop destination. 366 367 Available in Postfix version 3.7 and later: 368 369 <b><a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> 370 The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 371 client. 372 373 <b><a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> 374 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 375 security policy by next-hop destination. 376 377<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> 378 These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy 379 parameters. 380 381 <b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> 382 Opportunistic TLS: announce STARTTLS support to remote SMTP 383 clients, but do not require that clients use TLS encryption. 384 385 <b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> 386 Mandatory TLS: announce STARTTLS support to remote SMTP clients, 387 and require that clients use TLS encryption. 388 389 <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> 390 Opportunistic mode: use TLS when a remote server announces TLS 391 support. 392 393 <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> 394 Enforcement mode: require that SMTP servers use TLS encryption. 395 396<b>RESOURCE CONTROLS</b> 397 <b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b> 398 How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to process local or 399 remote I/O before it is terminated by a built-in watchdog timer. 400 401<b>MISCELLANEOUS CONTROLS</b> 402 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 403 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 404 figuration files. 405 406 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 407 The process ID of a Postfix command or daemon process. 408 409 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 410 The process name of a Postfix command or daemon process. 411 412 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 413 The syslog facility of Postfix logging. 414 415 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 416 A prefix that is prepended to the process name in syslog 417 records, so that, for example, "smtpd" becomes "prefix/smtpd". 418 419 Available in Postfix 3.3 and later: 420 421 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 422 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 423 424<b>SEE ALSO</b> 425 <a href="postscreen.8.html">postscreen(8)</a>, Postfix zombie blocker 426 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 427 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 428 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 429 syslogd(8), system logging 430 431<b>LICENSE</b> 432 The Secure Mailer license must be distributed with this software. 433 434<b>HISTORY</b> 435 This service was introduced with Postfix version 2.8. 436 437<b>AUTHOR(S)</b> 438 Wietse Venema 439 IBM T.J. Watson Research 440 P.O. Box 704 441 Yorktown Heights, NY 10598, USA 442 443 Wietse Venema 444 Google, Inc. 445 111 8th Avenue 446 New York, NY 10011, USA 447 448 TLSPROXY(8) 449</pre> </body> </html> 450