1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - tlsmgr(8) </title> 6</head> <body> <pre> 7TLSMGR(8) TLSMGR(8) 8 9<b>NAME</b> 10 tlsmgr - Postfix TLS session cache and PRNG manager 11 12<b>SYNOPSIS</b> 13 <b>tlsmgr</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and 17 retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes, 18 and periodically removes entries that have expired. 19 20 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator) 21 pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed 22 their internal PRNG pools. 23 24 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source 25 (EGD, /dev/urandom, or regular file). It is updated at configurable 26 pseudo-random intervals with data from the external source. It is 27 updated periodically with data from TLS session cache entries and with 28 the time of day, and is updated with the time of day whenever a process 29 requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service. 30 31 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and 32 when the process terminates, and reads the exchange file when initial- 33 izing its PRNG. 34 35<b>SECURITY</b> 36 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the 37 external and internal PRNG pools does not "trust" the data that it 38 manipulates, and the code that maintains the TLS session cache does not 39 touch the contents of the cached entries, except for seeding its inter- 40 nal PRNG pool. 41 42 The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privileges. At 43 process startup it connects to the entropy source and exchange file, 44 and creates or truncates the optional TLS session cache files. 45 46 With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no longer uses root 47 privileges when opening cache files. These files should now be stored 48 under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt 49 to open a cache file under a non-Postfix directory is redirected to the 50 Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged. 51 52<b>DIAGNOSTICS</b> 53 Problems and transactions are logged to the syslog daemon. 54 55<b>BUGS</b> 56 There is no automatic means to limit the number of entries in the TLS 57 session caches and/or the size of the TLS cache files. 58 59<b>CONFIGURATION PARAMETERS</b> 60 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 61 is a persistent processes. Use the command "<b>postfix reload</b>" after a 62 configuration change. 63 64 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 65 more details including examples. 66 67<b>TLS SESSION CACHE</b> 68 <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b> 69 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration 70 parameter. 71 72 <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b> 73 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> 74 configuration parameter. 75 76 <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b> 77 The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> 78 configuration parameter. 79 80 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 81 Enable additional Postfix SMTP client logging of TLS activity. 82 83 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 84 Name of the file containing the optional Postfix SMTP client TLS 85 session cache. 86 87 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 88 The expiration time of Postfix SMTP client TLS session cache 89 information. 90 91 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> 92 Enable additional Postfix SMTP server logging of TLS activity. 93 94 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> 95 Name of the file containing the optional Postfix SMTP server TLS 96 session cache. 97 98 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> 99 The expiration time of Postfix SMTP server TLS session cache 100 information. 101 102<b>PSEUDO RANDOM NUMBER GENERATOR</b> 103 <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b> 104 The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo 105 random number generator (PRNG) pool. 106 107 <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b> 108 The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a> 109 when (re)seeding the in-memory pseudo random number generator 110 (PRNG) pool. 111 112 <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b> 113 Name of the pseudo random number generator (PRNG) state file 114 that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>. 115 116 <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b> 117 The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the 118 pseudo random number generator (PRNG) to the file specified with 119 $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>. 120 121 <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b> 122 The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the 123 in-memory pseudo random number generator (PRNG) pool from exter- 124 nal sources. 125 126<b>MISCELLANEOUS CONTROLS</b> 127 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 128 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 129 figuration files. 130 131 <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b> 132 The directory with Postfix-writable data files (for example: 133 caches, pseudo-random numbers). 134 135 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 136 How much time a Postfix daemon process may take to handle a 137 request before it is terminated by a built-in watchdog timer. 138 139 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 140 The process ID of a Postfix command or daemon process. 141 142 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 143 The process name of a Postfix command or daemon process. 144 145 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 146 The syslog facility of Postfix logging. 147 148 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 149 The mail system name that is prepended to the process name in 150 syslog records, so that "smtpd" becomes, for example, "post- 151 fix/smtpd". 152 153<b>SEE ALSO</b> 154 <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client 155 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 156 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 157 <a href="master.5.html">master(5)</a>, generic daemon options 158 <a href="master.8.html">master(8)</a>, process manager 159 syslogd(8), system logging 160 161<b>README FILES</b> 162 <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation 163 164<b>LICENSE</b> 165 The Secure Mailer license must be distributed with this software. 166 167<b>HISTORY</b> 168 This service was introduced with Postfix version 2.2. 169 170<b>AUTHOR(S)</b> 171 Lutz Jaenicke 172 BTU Cottbus 173 Allgemeine Elektrotechnik 174 Universitaetsplatz 3-4 175 D-03044 Cottbus, Germany 176 177 Adapted by: 178 Wietse Venema 179 IBM T.J. Watson Research 180 P.O. Box 704 181 Yorktown Heights, NY 10598, USA 182 183 TLSMGR(8) 184</pre> </body> </html> 185