<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <title> Postfix manual - tlsmgr(8) </title> </head> <body> <pre> TLSMGR(8) TLSMGR(8) <b>NAME</b> tlsmgr - Postfix TLS session cache and PRNG manager <b>SYNOPSIS</b> <b>tlsmgr</b> [generic Postfix daemon options] <b>DESCRIPTION</b> The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> manages the Postfix TLS session caches. It stores and retrieves cache entries on request by <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes, and periodically removes entries that have expired. The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> also manages the PRNG (pseudo random number generator) pool. It answers queries by the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> and <a href="smtp.8.html"><b>smtp</b>(8)</a> processes to seed their internal PRNG pools. The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>'s PRNG pool is initially seeded from an external source (EGD, /dev/urandom, or regular file). It is updated at configurable pseudo-random intervals with data from the external source. It is updated periodically with data from TLS session cache entries and with the time of day, and is updated with the time of day whenever a process requests <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service. The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> saves the PRNG state to an exchange file periodically and when the process terminates, and reads the exchange file when initializing its PRNG. <b>SECURITY</b> The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is not security-sensitive. The code that maintains the external and internal PRNG pools does not "trust" the data that it manipulates, and the code that maintains the TLS session cache does not touch the con- tents of the cached entries, except for seeding its inter- nal PRNG pool. The <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> can be run chrooted and with reduced privi- leges. At process startup it connects to the entropy source and exchange file, and creates or truncates the optional TLS session cache files. <b>DIAGNOSTICS</b> Problems and transactions are logged to the syslog daemon. <b>BUGS</b> There is no automatic means to limit the number of entries in the TLS session caches and/or the size of the TLS cache files. <b>CONFIGURATION PARAMETERS</b> Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> is a persistent processes. Use the com- mand "<b>postfix reload</b>" after a configuration change. The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b>TLS SESSION CACHE</b> <b><a href="postconf.5.html#lmtp_tls_loglevel">lmtp_tls_loglevel</a> (0)</b> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> configuration parameter. <b><a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a> (empty)</b> The LMTP-specific version of the smtp_tls_ses- sion_cache_database configuration parameter. <b><a href="postconf.5.html#lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a> (3600s)</b> The LMTP-specific version of the smtp_tls_ses- sion_cache_timeout configuration parameter. <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> Enable additional Postfix SMTP client logging of TLS activity. <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> Name of the file containing the optional Postfix SMTP client TLS session cache. <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> The expiration time of Postfix SMTP client TLS ses- sion cache information. <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> Enable additional Postfix SMTP server logging of TLS activity. <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> Name of the file containing the optional Postfix SMTP server TLS session cache. <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> The expiration time of Postfix SMTP server TLS ses- sion cache information. <b>PSEUDO RANDOM NUMBER GENERATOR</b> <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b> The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo random number generator (PRNG) pool. <b><a href="postconf.5.html#tls_random_bytes">tls_random_bytes</a> (32)</b> The number of bytes that <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a> when (re)seeding the in-memory pseudo random number generator (PRNG) pool. <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (${<a href="postconf.5.html#config_directory">config_directory</a>}/prng_exch)</b> Name of the pseudo random number generator (PRNG) state file that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>. <b><a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> (3600s)</b> The time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to save the state of the pseudo random number generator (PRNG) to the file specified with $<a href="postconf.5.html#tls_random_exchange_name">tls_ran</a>- <a href="postconf.5.html#tls_random_exchange_name">dom_exchange_name</a>. <b><a href="postconf.5.html#tls_random_reseed_period">tls_random_reseed_period</a> (3600s)</b> The maximal time between attempts by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> to re-seed the in-memory pseudo random number genera- tor (PRNG) pool from external sources. <b>MISCELLANEOUS CONTROLS</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> configuration files. <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> The process ID of a Postfix command or daemon process. <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> The process name of a Postfix command or daemon process. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b> The mail system name that is prepended to the process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". <b>SEE ALSO</b> <a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server <a href="postconf.5.html">postconf(5)</a>, configuration parameters <a href="master.5.html">master(5)</a>, generic daemon options <a href="master.8.html">master(8)</a>, process manager syslogd(8), system logging <b>README FILES</b> <a href="TLS_README.html">TLS_README</a>, Postfix TLS configuration and operation <b>LICENSE</b> The Secure Mailer license must be distributed with this software. <b>AUTHOR(S)</b> Lutz Jaenicke BTU Cottbus Allgemeine Elektrotechnik Universitaetsplatz 3-4 D-03044 Cottbus, Germany Adapted by: Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA TLSMGR(8) </pre> </body> </html>