1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - tlsmgr(8) </title> 6</head> <body> <pre> 7TLSMGR(8) TLSMGR(8) 8 9<b>NAME</b> 10 tlsmgr - Postfix TLS session cache and PRNG manager 11 12<b>SYNOPSIS</b> 13 <b>tlsmgr</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and 17 retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes, 18 and periodically removes entries that have expired. 19 20 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator) 21 pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed 22 their internal PRNG pools. 23 24 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source 25 (EGD, /dev/urandom, or regular file). It is updated at configurable 26 pseudo-random intervals with data from the external source. It is 27 updated periodically with data from TLS session cache entries and with 28 the time of day, and is updated with the time of day whenever a process 29 requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service. 30 31 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and 32 when the process terminates, and reads the exchange file when initial- 33 izing its PRNG. 34 35<b>SECURITY</b> 36 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the 37 external and internal PRNG pools does not "trust" the data that it 38 manipulates, and the code that maintains the TLS session cache does not 39 touch the contents of the cached entries, except for seeding its inter- 40 nal PRNG pool. 41 42 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privileges. At 43 process startup it connects to the entropy source and exchange file, 44 and creates or truncates the optional TLS session cache files. 45 46 With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no longer uses root 47 privileges when opening cache files. These files should now be stored 48 under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt 49 to open a cache file under a non-Postfix directory is redirected to the 50 Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged. 51 52<b>DIAGNOSTICS</b> 53 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 54 55<b>BUGS</b> 56 There is no automatic means to limit the number of entries in the TLS 57 session caches and/or the size of the TLS cache files. 58 59<b>CONFIGURATION PARAMETERS</b> 60 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 61 is a persistent processes. Use the command "<b>postfix reload</b>" after a 62 configuration change. 63 64 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 65 more details including examples. 66 67<b>TLS SESSION CACHE</b> 68 <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b> 69 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration 70 parameter. 71 72 <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b> 73 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> 74 configuration parameter. 75 76 <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b> 77 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> 78 configuration parameter. 79 80 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 81 Enable additional Postfix SMTP client logging of TLS activity. 82 83 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 84 Name of the file containing the optional Postfix SMTP client TLS 85 session cache. 86 87 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 88 The expiration time of Postfix SMTP client TLS session cache 89 information. 90 91 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> 92 Enable additional Postfix SMTP server logging of TLS activity. 93 94 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> 95 Name of the file containing the optional Postfix SMTP server TLS 96 session cache. 97 98 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> 99 The expiration time of Postfix SMTP server TLS session cache 100 information. 101 102<b>PSEUDO RANDOM NUMBER GENERATOR</b> 103 <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b> 104 The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo 105 random number generator (PRNG) pool. 106 107 <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b> 108 The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a> 109 when (re)seeding the in-memory pseudo random number generator 110 (PRNG) pool. 111 112 <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b> 113 Name of the pseudo random number generator (PRNG) state file 114 that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>. 115 116 <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b> 117 The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the 118 pseudo random number generator (PRNG) to the file specified with 119 $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>. 120 121 <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b> 122 The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the 123 in-memory pseudo random number generator (PRNG) pool from exter- 124 nal sources. 125 126<b>MISCELLANEOUS CONTROLS</b> 127 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 128 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 129 figuration files. 130 131 <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b> 132 The directory with Postfix-writable data files (for example: 133 caches, pseudo-random numbers). 134 135 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 136 How much time a Postfix daemon process may take to handle a 137 request before it is terminated by a built-in watchdog timer. 138 139 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 140 The process ID of a Postfix command or daemon process. 141 142 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 143 The process name of a Postfix command or daemon process. 144 145 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 146 The syslog facility of Postfix logging. 147 148 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 149 A prefix that is prepended to the process name in syslog 150 records, so that, for example, "smtpd" becomes "prefix/smtpd". 151 152 Available in Postfix 3.3 and later: 153 154 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 155 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 156 157<b>SEE ALSO</b> 158 <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client 159 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 160 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 161 <a href="master.5.html">master(5)</a>, generic daemon options 162 <a href="master.8.html">master(8)</a>, process manager 163 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 164 syslogd(8), system logging 165 166<b>README FILES</b> 167 <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation 168 169<b>LICENSE</b> 170 The Secure Mailer license must be distributed with this software. 171 172<b>HISTORY</b> 173 This service was introduced with Postfix version 2.2. 174 175<b>AUTHOR(S)</b> 176 Lutz Jaenicke 177 BTU Cottbus 178 Allgemeine Elektrotechnik 179 Universitaetsplatz 3-4 180 D-03044 Cottbus, Germany 181 182 Adapted by: 183 Wietse Venema 184 IBM T.J. Watson Research 185 P.O. Box 704 186 Yorktown Heights, NY 10598, USA 187 188 Wietse Venema 189 Google, Inc. 190 111 8th Avenue 191 New York, NY 10011, USA 192 193 TLSMGR(8) 194</pre> </body> </html> 195