{ "content": [ { "type": "text", "text": "# tlsmgr(8) (man)\n\n**Summary:** tlsmgr - Postfix TLS session cache and PRNG manager\n\n**Synopsis:** tlsmgr [generic Postfix daemon options]\n\n## See Also\n\n- smtp(8)\n- smtpd(8)\n- postconf(5)\n- master(5)\n- master(8)\n- postlogd(8)\n- syslogd(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (16 lines)\n- **SECURITY** (14 lines)\n- **DIAGNOSTICS** (2 lines)\n- **BUGS** (3 lines)\n- **CONFIGURATION PARAMETERS** (6 lines)\n- **TLS SESSION CACHE** (29 lines)\n- **PSEUDO RANDOM NUMBER GENERATOR** (20 lines)\n- **MISCELLANEOUS CONTROLS** (29 lines)\n- **SEE ALSO** (8 lines)\n- **README FILES** (3 lines)\n- **LICENSE** (2 lines)\n- **HISTORY** (23 lines)\n\n## Full Content\n\n### NAME\n\ntlsmgr - Postfix TLS session cache and PRNG manager\n\n### SYNOPSIS\n\ntlsmgr [generic Postfix daemon options]\n\n### DESCRIPTION\n\nThe tlsmgr(8) manages the Postfix TLS session caches. It stores and retrieves cache entries\non request by smtpd(8) and smtp(8) processes, and periodically removes entries that have ex‐\npired.\n\nThe tlsmgr(8) also manages the PRNG (pseudo random number generator) pool. It answers queries\nby the smtpd(8) and smtp(8) processes to seed their internal PRNG pools.\n\nThe tlsmgr(8)'s PRNG pool is initially seeded from an external source (EGD, /dev/urandom, or\nregular file). It is updated at configurable pseudo-random intervals with data from the ex‐\nternal source. It is updated periodically with data from TLS session cache entries and with\nthe time of day, and is updated with the time of day whenever a process requests tlsmgr(8)\nservice.\n\nThe tlsmgr(8) saves the PRNG state to an exchange file periodically and when the process ter‐\nminates, and reads the exchange file when initializing its PRNG.\n\n### SECURITY\n\nThe tlsmgr(8) is not security-sensitive. The code that maintains the external and internal\nPRNG pools does not \"trust\" the data that it manipulates, and the code that maintains the TLS\nsession cache does not touch the contents of the cached entries, except for seeding its in‐\nternal PRNG pool.\n\nThe tlsmgr(8) can be run chrooted and with reduced privileges. At process startup it con‐\nnects to the entropy source and exchange file, and creates or truncates the optional TLS ses‐\nsion cache files.\n\nWith Postfix version 2.5 and later, the tlsmgr(8) no longer uses root privileges when opening\ncache files. These files should now be stored under the Postfix-owned datadirectory. As a\nmigration aid, an attempt to open a cache file under a non-Postfix directory is redirected to\nthe Postfix-owned datadirectory, and a warning is logged.\n\n### DIAGNOSTICS\n\nProblems and transactions are logged to syslogd(8) or postlogd(8).\n\n### BUGS\n\nThere is no automatic means to limit the number of entries in the TLS session caches and/or\nthe size of the TLS cache files.\n\n### CONFIGURATION PARAMETERS\n\nChanges to main.cf are not picked up automatically, because tlsmgr(8) is a persistent pro‐\ncesses. Use the command \"postfix reload\" after a configuration change.\n\nThe text below provides only a parameter summary. See postconf(5) for more details including\nexamples.\n\n### TLS SESSION CACHE\n\nlmtptlsloglevel (0)\nThe LMTP-specific version of the smtptlsloglevel configuration parameter.\n\nlmtptlssessioncachedatabase (empty)\nThe LMTP-specific version of the smtptlssessioncachedatabase configuration parame‐\nter.\n\nlmtptlssessioncachetimeout (3600s)\nThe LMTP-specific version of the smtptlssessioncachetimeout configuration parame‐\nter.\n\nsmtptlsloglevel (0)\nEnable additional Postfix SMTP client logging of TLS activity.\n\nsmtptlssessioncachedatabase (empty)\nName of the file containing the optional Postfix SMTP client TLS session cache.\n\nsmtptlssessioncachetimeout (3600s)\nThe expiration time of Postfix SMTP client TLS session cache information.\n\nsmtpdtlsloglevel (0)\nEnable additional Postfix SMTP server logging of TLS activity.\n\nsmtpdtlssessioncachedatabase (empty)\nName of the file containing the optional Postfix SMTP server TLS session cache.\n\nsmtpdtlssessioncachetimeout (3600s)\nThe expiration time of Postfix SMTP server TLS session cache information.\n\n### PSEUDO RANDOM NUMBER GENERATOR\n\ntlsrandomsource (see 'postconf -d' output)\nThe external entropy source for the in-memory tlsmgr(8) pseudo random number generator\n(PRNG) pool.\n\ntlsrandombytes (32)\nThe number of bytes that tlsmgr(8) reads from $tlsrandomsource when (re)seeding the\nin-memory pseudo random number generator (PRNG) pool.\n\ntlsrandomexchangename (see 'postconf -d' output)\nName of the pseudo random number generator (PRNG) state file that is maintained by\ntlsmgr(8).\n\ntlsrandomprngupdateperiod (3600s)\nThe time between attempts by tlsmgr(8) to save the state of the pseudo random number\ngenerator (PRNG) to the file specified with $tlsrandomexchangename.\n\ntlsrandomreseedperiod (3600s)\nThe maximal time between attempts by tlsmgr(8) to re-seed the in-memory pseudo random\nnumber generator (PRNG) pool from external sources.\n\n### MISCELLANEOUS CONTROLS\n\nconfigdirectory (see 'postconf -d' output)\nThe default location of the Postfix main.cf and master.cf configuration files.\n\ndatadirectory (see 'postconf -d' output)\nThe directory with Postfix-writable data files (for example: caches, pseudo-random\nnumbers).\n\ndaemontimeout (18000s)\nHow much time a Postfix daemon process may take to handle a request before it is ter‐\nminated by a built-in watchdog timer.\n\nprocessid (read-only)\nThe process ID of a Postfix command or daemon process.\n\nprocessname (read-only)\nThe process name of a Postfix command or daemon process.\n\nsyslogfacility (mail)\nThe syslog facility of Postfix logging.\n\nsyslogname (see 'postconf -d' output)\nA prefix that is prepended to the process name in syslog records, so that, for exam‐\nple, \"smtpd\" becomes \"prefix/smtpd\".\n\nAvailable in Postfix 3.3 and later:\n\nservicename (read-only)\nThe master.cf service name of a Postfix daemon process.\n\n### SEE ALSO\n\nsmtp(8), Postfix SMTP client\nsmtpd(8), Postfix SMTP server\npostconf(5), configuration parameters\nmaster(5), generic daemon options\nmaster(8), process manager\npostlogd(8), Postfix logging\nsyslogd(8), system logging\n\n### README FILES\n\nUse \"postconf readmedirectory\" or \"postconf htmldirectory\" to locate this information.\nTLSREADME, Postfix TLS configuration and operation\n\n### LICENSE\n\nThe Secure Mailer license must be distributed with this software.\n\n### HISTORY\n\nThis service was introduced with Postfix version 2.2.\n\nAUTHOR(S)\nLutz Jaenicke\nBTU Cottbus\nAllgemeine Elektrotechnik\nUniversitaetsplatz 3-4\nD-03044 Cottbus, Germany\n\nAdapted by:\nWietse Venema\nIBM T.J. Watson Research\nP.O. Box 704\nYorktown Heights, NY 10598, USA\n\nWietse Venema\nGoogle, Inc.\n111 8th Avenue\nNew York, NY 10011, USA\n\n\n\nTLSMGR(8postfix)\n\n" } ], "structuredContent": { "command": "tlsmgr", "section": "8", "mode": "man", "summary": "tlsmgr - Postfix TLS session cache and PRNG manager", "synopsis": "tlsmgr [generic Postfix daemon options]", "flags": [], "examples": [], "see_also": [ { "name": "smtp", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/smtp/8/json" }, { "name": "smtpd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/smtpd/8/json" }, { "name": "postconf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/postconf/5/json" }, { "name": "master", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/master/5/json" }, { "name": "master", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/master/8/json" }, { "name": "postlogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/postlogd/8/json" }, { "name": "syslogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/syslogd/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 16, "subsections": [] }, { "name": "SECURITY", "lines": 14, "subsections": [] }, { "name": "DIAGNOSTICS", "lines": 2, "subsections": [] }, { "name": "BUGS", "lines": 3, "subsections": [] }, { "name": "CONFIGURATION PARAMETERS", "lines": 6, "subsections": [] }, { "name": "TLS SESSION CACHE", "lines": 29, "subsections": [] }, { "name": "PSEUDO RANDOM NUMBER GENERATOR", "lines": 20, "subsections": [] }, { "name": "MISCELLANEOUS CONTROLS", "lines": 29, "subsections": [] }, { "name": "SEE ALSO", "lines": 8, "subsections": [] }, { "name": "README FILES", "lines": 3, "subsections": [] }, { "name": "LICENSE", "lines": 2, "subsections": [] }, { "name": "HISTORY", "lines": 23, "subsections": [] } ] } }