1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<title> Postfix manual - tlsproxy(8) </title> 6</head> <body> <pre> 7TLSPROXY(8) TLSPROXY(8) 8 9<b>NAME</b> 10 tlsproxy - Postfix TLS proxy 11 12<b>SYNOPSIS</b> 13 <b>tlsproxy</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server implements a two-way TLS proxy. It is used by 17 the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server to talk SMTP-over-TLS with remote SMTP clients 18 that are not allowlisted (including clients whose allowlist status has 19 expired), and by the <a href="smtp.8.html"><b>smtp</b>(8)</a> client to support TLS connection reuse, 20 but it should also work for non-SMTP protocols. 21 22 Although one <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve multiple sessions at the 23 same time, it is a good idea to allow the number of processes to 24 increase with load, so that the service remains responsive. 25 26<b>PROTOCOL EXAMPLE</b> 27 The example below concerns <a href="postscreen.8.html"><b>postscreen</b>(8)</a>. However, the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 28 server is agnostic of the application protocol, and the example is eas- 29 ily adapted to other applications. 30 31 After receiving a valid remote SMTP client STARTTLS command, the 32 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server sends the remote SMTP client endpoint string, the 33 requested role (server), and the requested timeout to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. 34 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> then receives a "TLS available" indication from 35 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. If the TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends the 36 remote SMTP client file descriptor to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>, and sends the plain- 37 text 220 greeting to the remote SMTP client. This triggers TLS negoti- 38 ations between the remote SMTP client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. Upon completion 39 of the TLS-level handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between plaintext 40 from/to <a href="postscreen.8.html"><b>postscreen</b>(8)</a> and ciphertext to/from the remote SMTP client. 41 42<b>SECURITY</b> 43 The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is moderately security-sensitive. It talks to 44 untrusted clients on the network. The process can be run chrooted at 45 fixed low privilege. 46 47<b>DIAGNOSTICS</b> 48 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 49 50<b>CONFIGURATION PARAMETERS</b> 51 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, as <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> pro- 52 cesses may run for a long time depending on mail server load. Use the 53 command "<b>postfix reload</b>" to speed up a change. 54 55 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 56 more details including examples. 57 58<b>STARTTLS GLOBAL CONTROLS</b> 59 The following settings are global and therefore cannot be overruled by 60 information specified in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request. 61 62 <b><a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> (no)</b> 63 Append the system-supplied default Certification Authority cer- 64 tificates to the ones specified with *_tls_CApath or 65 *_tls_CAfile. 66 67 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 68 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> 69 process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its 70 internal pseudo random number generator (PRNG). 71 72 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b> 73 The OpenSSL cipherlist for "high" grade ciphers. 74 75 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b> 76 The OpenSSL cipherlist for "medium" or higher grade ciphers. 77 78 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b> 79 The OpenSSL cipherlist for "low" or higher grade ciphers. 80 81 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b> 82 The OpenSSL cipherlist for "export" or higher grade ciphers. 83 84 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 85 The OpenSSL cipherlist for "NULL" grade ciphers that provide 86 authentication without encryption. 87 88 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b> 89 The elliptic curve used by the Postfix SMTP server for sensibly 90 strong ephemeral ECDH key exchange. 91 92 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b> 93 The elliptic curve used by the Postfix SMTP server for maximally 94 strong ephemeral ECDH key exchange. 95 96 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 97 List or bit-mask of OpenSSL bug work-arounds to disable. 98 99 <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b> 100 With SSLv3 and later, use the Postfix SMTP server's cipher pref- 101 erence order instead of the remote client's cipher preference 102 order. 103 104 Available in Postfix version 2.9 and later: 105 106 <b><a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> (no)</b> 107 A temporary migration aid for sites that use certificate <i>pub-</i> 108 <i>lic-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use an 109 incorrect algorithm. 110 111 Available in Postfix version 2.11-3.1: 112 113 <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b> 114 Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility. 115 116 <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b> 117 Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain 118 digests of trust-anchors with certificate usage "2". 119 120 Available in Postfix version 2.11 and later: 121 122 <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b> 123 The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 124 125 Available in Postfix version 3.0 and later: 126 127 <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> ><b>= 3.0: aes-256-cbc, Postfix</b> < <b>3.0:</b> 128 <b>aes-128-cbc)</b> 129 Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets. 130 131 <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b> 132 The location of the OpenSSL command line program <b>openssl</b>(1). 133 134 Available in Postfix version 3.2 and later: 135 136 <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b> 137 The prioritized list of elliptic curves supported by the Postfix 138 SMTP client and server. 139 140 Available in Postfix version 3.4 and later: 141 142 <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b> 143 Optional lookup tables that map names received from remote SMTP 144 clients via the TLS Server Name Indication (SNI) extension to 145 the appropriate keys and certificate chains. 146 147 Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: 148 149 <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b> 150 A workaround for implementations that hang Postfix while shut- 151 ting down a TLS session, until Postfix times out. 152 153<b>STARTTLS SERVER CONTROLS</b> 154 These settings are clones of Postfix SMTP server settings. They allow 155 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as 156 the Postfix SMTP server, before dropping privileges, so that the key 157 files can be kept read-only for root. These settings can currently not 158 be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that 159 limitation may be removed in a future version. 160 161 <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b> 162 A file containing (PEM format) CA certificates of root CAs 163 trusted to sign either remote SMTP client certificates or inter- 164 mediate CA certificates. 165 166 <b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b> 167 A directory containing (PEM format) CA certificates of root CAs 168 trusted to sign either remote SMTP client certificates or inter- 169 mediate CA certificates. 170 171 <b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a> ($<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_ses</a>-</b> 172 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">sion_ids</a>)</b> 173 Force the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session id, 174 even when TLS session caching is turned off. 175 176 <b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b> 177 Ask a remote SMTP client for a client certificate. 178 179 <b><a href="postconf.5.html#tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a> ($<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>)</b> 180 The verification depth for remote SMTP client certificates. 181 182 <b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> 183 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in PEM 184 format. 185 186 <b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b> 187 The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 188 will use with opportunistic TLS encryption. 189 190 <b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> 191 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in PEM 192 format. 193 194 <b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b> 195 File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 196 should use with non-export EDH ciphers. 197 198 <b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b> 199 File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 200 should use with export-grade EDH ciphers. 201 202 <b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b> 203 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in PEM 204 format. 205 206 <b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b> 207 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA certificate in 208 PEM format. 209 210 <b><a href="postconf.5.html#tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b> 211 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA private key in 212 PEM format. 213 214 <b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b> 215 The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for ephemeral 216 elliptic-curve Diffie-Hellman (EECDH) key exchange. 217 218 <b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b> 219 List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 220 server cipher list at all TLS security levels. 221 222 <b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a> ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b> 223 The message digest algorithm to construct remote SMTP 224 client-certificate fingerprints. 225 226 <b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b> 227 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in PEM 228 format. 229 230 <b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b> 231 Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server logging of TLS 232 activity. 233 234 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b> 235 The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 236 will use with mandatory TLS encryption. 237 238 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b> 239 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b> 240 Additional list of ciphers or cipher types to exclude from the 241 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at mandatory TLS security levels. 242 243 <b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b> 244 The SSL/TLS protocols accepted by the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server 245 with mandatory TLS encryption. 246 247 <b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b> 248 List of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will 249 exclude or include with opportunistic TLS encryption. 250 251 <b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b> 252 With mandatory TLS encryption, require a trusted remote SMTP 253 client certificate in order to allow TLS connections to proceed. 254 255 <b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> 256 The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; 257 when a non-empty value is specified, this overrides the obsolete 258 parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. 259 260 <b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b> 261 Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate 262 chains in PEM format. 263 264<b>STARTTLS CLIENT CONTROLS</b> 265 These settings are clones of Postfix SMTP client settings. They allow 266 <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as 267 the Postfix SMTP client, before dropping privileges, so that the key 268 files can be kept read-only for root. Some settings may be overruled by 269 information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request. 270 271 Available in Postfix version 3.4 and later: 272 273 <b><a href="postconf.5.html#tlsproxy_client_CAfile">tlsproxy_client_CAfile</a> ($<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b> 274 A file containing CA certificates of root CAs trusted to sign 275 either remote TLS server certificates or intermediate CA cer- 276 tificates. 277 278 <b><a href="postconf.5.html#tlsproxy_client_CApath">tlsproxy_client_CApath</a> ($<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b> 279 Directory with PEM format Certification Authority certificates 280 that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS 281 server certificate. 282 283 <b><a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a> ($<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>)</b> 284 Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client keys and certificate 285 chains in PEM format. 286 287 <b><a href="postconf.5.html#tlsproxy_client_cert_file">tlsproxy_client_cert_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 288 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in PEM 289 format. 290 291 <b><a href="postconf.5.html#tlsproxy_client_key_file">tlsproxy_client_key_file</a> ($<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b> 292 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM 293 format. 294 295 <b><a href="postconf.5.html#tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 296 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in PEM 297 format. 298 299 <b><a href="postconf.5.html#tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b> 300 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM 301 format. 302 303 <b><a href="postconf.5.html#tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 304 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA certificate in 305 PEM format. 306 307 <b><a href="postconf.5.html#tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b> 308 File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in 309 PEM format. 310 311 <b><a href="postconf.5.html#tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a> ($<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b> 312 The message digest algorithm used to construct remote TLS server 313 certificate fingerprints. 314 315 <b><a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> ($<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> 316 Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client logging of TLS 317 activity. 318 319 <b><a href="postconf.5.html#tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a> (<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> 320 The name of the parameter that provides the 321 <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> value. 322 323 <b><a href="postconf.5.html#tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a> ($<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b> 324 The verification depth for remote TLS server certificates. 325 326 <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> 327 Opportunistic mode: use TLS when a remote server announces TLS 328 support. 329 330 <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> 331 Enforcement mode: require that SMTP servers use TLS encryption. 332 333 <b><a href="postconf.5.html#tlsproxy_client_per_site">tlsproxy_client_per_site</a> ($<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b> 334 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 335 usage policy by next-hop destination and by remote TLS server 336 hostname. 337 338 Available in Postfix version 3.4-3.6: 339 340 <b><a href="postconf.5.html#tlsproxy_client_level">tlsproxy_client_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> 341 The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 342 client. 343 344 <b><a href="postconf.5.html#tlsproxy_client_policy">tlsproxy_client_policy</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> 345 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 346 security policy by next-hop destination. 347 348 Available in Postfix version 3.7 and later: 349 350 <b><a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> 351 The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> 352 client. 353 354 <b><a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> 355 Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS 356 security policy by next-hop destination. 357 358<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> 359 These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy 360 parameters. 361 362 <b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> 363 Opportunistic TLS: announce STARTTLS support to remote SMTP 364 clients, but do not require that clients use TLS encryption. 365 366 <b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> 367 Mandatory TLS: announce STARTTLS support to remote SMTP clients, 368 and require that clients use TLS encryption. 369 370 <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> 371 Opportunistic mode: use TLS when a remote server announces TLS 372 support. 373 374 <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> 375 Enforcement mode: require that SMTP servers use TLS encryption. 376 377<b>RESOURCE CONTROLS</b> 378 <b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b> 379 How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to process local or 380 remote I/O before it is terminated by a built-in watchdog timer. 381 382<b>MISCELLANEOUS CONTROLS</b> 383 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 384 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 385 figuration files. 386 387 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 388 The process ID of a Postfix command or daemon process. 389 390 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 391 The process name of a Postfix command or daemon process. 392 393 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 394 The syslog facility of Postfix logging. 395 396 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 397 A prefix that is prepended to the process name in syslog 398 records, so that, for example, "smtpd" becomes "prefix/smtpd". 399 400 Available in Postfix 3.3 and later: 401 402 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 403 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 404 405<b>SEE ALSO</b> 406 <a href="postscreen.8.html">postscreen(8)</a>, Postfix zombie blocker 407 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 408 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 409 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 410 syslogd(8), system logging 411 412<b>LICENSE</b> 413 The Secure Mailer license must be distributed with this software. 414 415<b>HISTORY</b> 416 This service was introduced with Postfix version 2.8. 417 418<b>AUTHOR(S)</b> 419 Wietse Venema 420 IBM T.J. Watson Research 421 P.O. Box 704 422 Yorktown Heights, NY 10598, USA 423 424 Wietse Venema 425 Google, Inc. 426 111 8th Avenue 427 New York, NY 10011, USA 428 429 TLSPROXY(8) 430</pre> </body> </html> 431