{ "content": [ { "type": "text", "text": "# POSTFIX-TLS (man)\n\n## NAME\n\npostfix-tls - Postfix TLS management\n\n## SYNOPSIS\n\npostfix tls subcommand\n\n## DESCRIPTION\n\nThe \"postfix tls subcommand\" feature enables opportunistic TLS in the Postfix SMTP client or\nserver, and manages Postfix SMTP server private keys and certificates.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **AUXILIARY COMMANDS** (2 subsections)\n- **CONFIGURATION PARAMETERS**\n- **SEE ALSO**\n- **README FILES**\n- **LICENSE**\n- **HISTORY**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "POSTFIX-TLS", "section": "", "mode": "man", "summary": "postfix-tls - Postfix TLS management", "synopsis": "postfix tls subcommand", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [ { "name": "master", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/master/8/json" }, { "name": "postfix", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/postfix/1/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 112, "subsections": [] }, { "name": "AUXILIARY COMMANDS", "lines": 1, "subsections": [ { "name": "all-default-client", "lines": 7 }, { "name": "all-default-server", "lines": 7 } ] }, { "name": "CONFIGURATION PARAMETERS", "lines": 50, "subsections": [] }, { "name": "SEE ALSO", "lines": 3, "subsections": [] }, { "name": "README FILES", "lines": 3, "subsections": [] }, { "name": "LICENSE", "lines": 2, "subsections": [] }, { "name": "HISTORY", "lines": 8, "subsections": [] } ], "sections": { "NAME": { "content": "postfix-tls - Postfix TLS management\n", "subsections": [] }, "SYNOPSIS": { "content": "postfix tls subcommand\n", "subsections": [] }, "DESCRIPTION": { "content": "The \"postfix tls subcommand\" feature enables opportunistic TLS in the Postfix SMTP client or\nserver, and manages Postfix SMTP server private keys and certificates.\n\nThe following subcommands are available:\n\nenable-client [-r randsource]\nEnable opportunistic TLS in the Postfix SMTP client, if all SMTP client TLS settings\nare at their default values. Otherwise, suggest parameter settings without making any\nchanges.\n\nSpecify randsource to update the value of the tlsrandomsource configuration parame‐\nter (typically, /dev/urandom). Prepend dev: to device paths or egd: to EGD socket\npaths.\n\nSee also the all-default-client subcommand.\n\nenable-server [-r randsource] [-a algorithm] [-b bits] [hostname...]\nCreate a new private key and self-signed server certificate and enable opportunistic\nTLS in the Postfix SMTP server, if all SMTP server TLS settings are at their default\nvalues. Otherwise, suggest parameter settings without making any changes.\n\nThe randsource parameter is as with enable-client above, and the remaining options are\nas with new-server-key below.\n\nSee also the all-default-server subcommand.\n\nnew-server-key [-a algorithm] [-b bits] [hostname...]\nCreate a new private key and self-signed server certificate, but do not deploy them.\nLog and display commands to deploy the new key and corresponding certificate. Also\nlog and display commands to output a corresponding CSR or TLSA records which may be\nneeded to obtain a CA certificate or to update DNS before the new key can be deployed.\n\nThe algorithm defaults to rsa, and bits defaults to 2048. If you choose the ecdsa\nalgorithm then bits will be an EC curve name (by default secp256r1, also known as\nprime256v1). Curves other than secp256r1, secp384r1 or secp521r1 are unlikely to be\nwidely interoperable. When generating EC keys, use one of these three. DSA keys are\nobsolete and are not supported.\n\nNote: ECDSA support requires OpenSSL 1.0.0 or later and may not be available on your\nsystem. Not all client systems will support ECDSA, so you'll generally want to deploy\nboth RSA and ECDSA certificates to make use of ECDSA with compatible clients and RSA\nwith the rest. If you want to deploy certificate chains with intermediate CAs for both\nRSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier versions may not handle\nmultiple chain files correctly.\n\nThe first hostname argument will be the CommonName of both the subject and issuer of\nthe self-signed certificate. It, and any additional hostname arguments, will also be\nlisted as DNS alternative names in the certificate. If no hostname is provided the\nvalue of the myhostname main.cf parameter will be used.\n\nFor RSA, the generated private key and certificate files are named key-yyyymmdd-hh‐\nmmss.pem and cert-yyyymmdd-hhmmss.pem, where yyyymmdd is the calendar date and hhmmss\nis the time of day in UTC. For ECDSA, the file names start with eckey- and eccert-\ninstead of key- and cert- respectively.\n\nBefore deploying the new key and certificate with DANE, update the DNS with new DANE\nTLSA records, then wait for secondary nameservers to update and then for stale records\nin remote DNS caches to expire.\n\nBefore deploying a new CA certificate make sure to include all the required intermedi‐\nate issuing CA certificates in the certificate chain file. The server certificate\nmust be the first certificate in the chain file. Overwrite and deploy the file with\nthe original self-signed certificate that was generated together with the key.\n\nnew-server-cert [-a algorithm] [-b bits] [hostname...]\nThis is just like new-server-key except that, rather than generating a new private\nkey, any currently deployed private key is copied to the new key file. Thus if you're\npublishing DANE TLSA \"3 1 1\" or \"3 1 2\" records, there is no need to update DNS\nrecords. The algorithm and bits arguments are used only if no key of the same algo‐\nrithm is already configured.\n\nThis command is rarely needed, because the self-signed certificates generated have a\n100-year nominal expiration time. The underlying public key algorithms may well be\nobsoleted by quantum computers long before then.\n\nThe most plausible reason for using this command is when the system hostname changes,\nand you'd like the name in the certificate to match the new hostname (not required for\nDANE \"3 1 1\", but some needlessly picky non-DANE opportunistic TLS clients may log\nwarnings or even refuse to communicate).\n\ndeploy-server-cert certfile keyfile\nThis subcommand deploys the certificates in certfile and private key in keyfile (which\nare typically generated by the commands above, which will also log and display the\nfull command needed to deploy the generated key and certificate). After the new cer‐\ntificate and key are deployed any obsolete keys and certificates may be removed by\nhand. The keyfile and certfile filenames may be relative to the Postfix configura‐\ntion directory.\n\noutput-server-csr [-k keyfile] [hostname...]\nWrite to stdout a certificate signing request (CSR) for the specified keyfile.\n\nInstead of an absolute pathname or a pathname relative to $configdirectory, keyfile\nmay specify one of the supported key algorithm names (see \"postconf -T public-key-al‐‐\ngorithms\"). In that case, the corresponding setting from main.cf is used to locate the\nkeyfile. The default keyfile value is rsa.\n\nZero or more hostname values can be specified. The default hostname is the value of\nmyhostname main.cf parameter.\n\noutput-server-tlsa [-h hostname] [keyfile...]\nWrite to stdout a DANE TLSA RRset suitable for a port 25 SMTP server on host hostname\nwith keys from any of the specified keyfile values. The default hostname is the value\nof the myhostname main.cf parameter.\n\nInstead of absolute pathnames or pathnames relative to $configdirectory, the keyfile\nlist may specify names of supported public key algorithms (see \"postconf -T pub‐‐\nlic-key-algorithms\"). In that case, the actual keyfile list uses the values of the\ncorresponding Postfix server TLS key file parameters. If a parameter value is empty\nor equal to none, then no TLSA record is output for that algorithm.\n\nThe default keyfile list consists of the two supported algorithms rsa and ecdsa.\n", "subsections": [] }, "AUXILIARY COMMANDS": { "content": "", "subsections": [ { "name": "all-default-client", "content": "Exit with status 0 (success) if all SMTP client TLS settings are\nat their default values. Otherwise, exit with a non-zero status.\nThis is typically used as follows:\n\npostfix tls all-default-client &&\npostfix tls enable-client\n" }, { "name": "all-default-server", "content": "Exit with status 0 (success) if all SMTP server TLS settings are\nat their default values. Otherwise, exit with a non-zero status.\nThis is typically used as follows:\n\npostfix tls all-default-server &&\npostfix tls enable-server\n" } ] }, "CONFIGURATION PARAMETERS": { "content": "The \"postfix tls subcommand\" feature reads or updates the following configuration parameters.\n\ncommanddirectory (see 'postconf -d' output)\nThe location of all postfix administrative commands.\n\nconfigdirectory (see 'postconf -d' output)\nThe default location of the Postfix main.cf and master.cf configuration files.\n\nopensslpath (openssl)\nThe location of the OpenSSL command line program openssl(1).\n\nsmtptlsloglevel (0)\nEnable additional Postfix SMTP client logging of TLS activity.\n\nsmtptlssecuritylevel (empty)\nThe default SMTP TLS security level for the Postfix SMTP client; when a non-empty\nvalue is specified, this overrides the obsolete parameters smtpusetls, smtpen‐\nforcetls, and smtptlsenforcepeername.\n\nsmtptlssessioncachedatabase (empty)\nName of the file containing the optional Postfix SMTP client TLS session cache.\n\nsmtpdtlscertfile (empty)\nFile with the Postfix SMTP server RSA certificate in PEM format.\n\nsmtpdtlseccertfile (empty)\nFile with the Postfix SMTP server ECDSA certificate in PEM format.\n\nsmtpdtlseckeyfile ($smtpdtlseccertfile)\nFile with the Postfix SMTP server ECDSA private key in PEM format.\n\nsmtpdtlskeyfile ($smtpdtlscertfile)\nFile with the Postfix SMTP server RSA private key in PEM format.\n\nsmtpdtlsloglevel (0)\nEnable additional Postfix SMTP server logging of TLS activity.\n\nsmtpdtlsreceivedheader (no)\nRequest that the Postfix SMTP server produces Received: message headers that include\ninformation about the protocol and cipher used, as well as the remote SMTP client Com‐\nmonName and client certificate issuer CommonName.\n\nsmtpdtlssecuritylevel (empty)\nThe SMTP TLS security level for the Postfix SMTP server; when a non-empty value is\nspecified, this overrides the obsolete parameters smtpdusetls and smtpdenforcetls.\n\ntlsrandomsource (see 'postconf -d' output)\nThe external entropy source for the in-memory tlsmgr(8) pseudo random number generator\n(PRNG) pool.\n", "subsections": [] }, "SEE ALSO": { "content": "master(8) Postfix master program\npostfix(1) Postfix administrative interface\n", "subsections": [] }, "README FILES": { "content": "Use \"postconf readmedirectory\" or \"postconf htmldirectory\" to locate this information.\nTLSREADME, Postfix TLS configuration and operation\n", "subsections": [] }, "LICENSE": { "content": "The Secure Mailer license must be distributed with this software.\n", "subsections": [] }, "HISTORY": { "content": "The \"postfix tls\" command was introduced with Postfix version 3.1.\n\nAUTHOR(S)\nViktor Dukhovni\n\n\n\nPOSTFIX-TLS(1)", "subsections": [] } } } }