{ "mode": "man", "parameter": "tlsproxy", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tlsproxy/8/json", "generated": "2026-06-16T22:20:06Z", "synopsis": "tlsproxy [generic Postfix daemon options]", "sections": { "NAME": { "content": "tlsproxy - Postfix TLS proxy\n", "subsections": [] }, "SYNOPSIS": { "content": "tlsproxy [generic Postfix daemon options]\n", "subsections": [] }, "DESCRIPTION": { "content": "The tlsproxy(8) server implements a two-way TLS proxy. It is used by the postscreen(8) server\nto talk SMTP-over-TLS with remote SMTP clients that are not allowlisted (including clients\nwhose allowlist status has expired), and by the smtp(8) client to support TLS connection re‐\nuse, but it should also work for non-SMTP protocols.\n\nAlthough one tlsproxy(8) process can serve multiple sessions at the same time, it is a good\nidea to allow the number of processes to increase with load, so that the service remains re‐\nsponsive.\n", "subsections": [] }, "PROTOCOL EXAMPLE": { "content": "The example below concerns postscreen(8). However, the tlsproxy(8) server is agnostic of the\napplication protocol, and the example is easily adapted to other applications.\n\nAfter receiving a valid remote SMTP client STARTTLS command, the postscreen(8) server sends\nthe remote SMTP client endpoint string, the requested role (server), and the requested time‐\nout to tlsproxy(8). postscreen(8) then receives a \"TLS available\" indication from tl‐‐\nsproxy(8). If the TLS service is available, postscreen(8) sends the remote SMTP client file\ndescriptor to tlsproxy(8), and sends the plaintext 220 greeting to the remote SMTP client.\nThis triggers TLS negotiations between the remote SMTP client and tlsproxy(8). Upon comple‐\ntion of the TLS-level handshake, tlsproxy(8) translates between plaintext from/to\npostscreen(8) and ciphertext to/from the remote SMTP client.\n", "subsections": [] }, "SECURITY": { "content": "The tlsproxy(8) server is moderately security-sensitive. It talks to untrusted clients on\nthe network. The process can be run chrooted at fixed low privilege.\n", "subsections": [] }, "DIAGNOSTICS": { "content": "Problems and transactions are logged to syslogd(8) or postlogd(8).\n", "subsections": [] }, "CONFIGURATION PARAMETERS": { "content": "Changes to main.cf are not picked up automatically, as tlsproxy(8) processes may run for a\nlong time depending on mail server load. Use the command \"postfix reload\" to speed up a\nchange.\n\nThe text below provides only a parameter summary. See postconf(5) for more details including\nexamples.\n", "subsections": [] }, "STARTTLS GLOBAL CONTROLS": { "content": "The following settings are global and therefore cannot be overruled by information specified\nin a tlsproxy(8) client request.\n\ntlsappenddefaultCA (no)\nAppend the system-supplied default Certification Authority certificates to the ones\nspecified with *tlsCApath or *tlsCAfile.\n\ntlsdaemonrandombytes (32)\nThe number of pseudo-random bytes that an smtp(8) or smtpd(8) process requests from\nthe tlsmgr(8) server in order to seed its internal pseudo random number generator\n(PRNG).\n\ntlshighcipherlist (see 'postconf -d' output)\nThe OpenSSL cipherlist for \"high\" grade ciphers.\n\ntlsmediumcipherlist (see 'postconf -d' output)\nThe OpenSSL cipherlist for \"medium\" or higher grade ciphers.\n\ntlslowcipherlist (see 'postconf -d' output)\nThe OpenSSL cipherlist for \"low\" or higher grade ciphers.\n\ntlsexportcipherlist (see 'postconf -d' output)\nThe OpenSSL cipherlist for \"export\" or higher grade ciphers.\n\ntlsnullcipherlist (eNULL:!aNULL)\nThe OpenSSL cipherlist for \"NULL\" grade ciphers that provide authentication without\nencryption.\n\ntlseecdhstrongcurve (prime256v1)\nThe elliptic curve used by the Postfix SMTP server for sensibly strong ephemeral ECDH\nkey exchange.\n\ntlseecdhultracurve (secp384r1)\nThe elliptic curve used by the Postfix SMTP server for maximally strong ephemeral ECDH\nkey exchange.\n\ntlsdisableworkarounds (see 'postconf -d' output)\nList or bit-mask of OpenSSL bug work-arounds to disable.\n\ntlspreemptcipherlist (no)\nWith SSLv3 and later, use the Postfix SMTP server's cipher preference order instead of\nthe remote client's cipher preference order.\n\nAvailable in Postfix version 2.9 and later:\n\ntlslegacypublickeyfingerprints (no)\nA temporary migration aid for sites that use certificate public-key fingerprints with\nPostfix 2.9.0..2.9.5, which use an incorrect algorithm.\n\nAvailable in Postfix version 2.11-3.1:\n\ntlsdanedigestagility (on)\nConfigure RFC7671 DANE TLSA digest algorithm agility.\n\ntlsdanetrustanchordigestenable (yes)\nEnable support for RFC 6698 (DANE TLSA) DNS records that contain digests of trust-an‐\nchors with certificate usage \"2\".\n\nAvailable in Postfix version 2.11 and later:\n\ntlsmgrservicename (tlsmgr)\nThe name of the tlsmgr(8) service entry in master.cf.\n\nAvailable in Postfix version 3.0 and later:\n\ntlssessionticketcipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\nAlgorithm used to encrypt RFC5077 TLS session tickets.\n\nopensslpath (openssl)\nThe location of the OpenSSL command line program openssl(1).\n\nAvailable in Postfix version 3.2 and later:\n\ntlseecdhautocurves (see 'postconf -d' output)\nThe prioritized list of elliptic curves supported by the Postfix SMTP client and\nserver.\n\nAvailable in Postfix version 3.4 and later:\n\ntlsserversnimaps (empty)\nOptional lookup tables that map names received from remote SMTP clients via the TLS\nServer Name Indication (SNI) extension to the appropriate keys and certificate chains.\n\nAvailable in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:\n\ntlsfastshutdownenable (yes)\nA workaround for implementations that hang Postfix while shutting down a TLS session,\nuntil Postfix times out.\n", "subsections": [] }, "STARTTLS SERVER CONTROLS": { "content": "These settings are clones of Postfix SMTP server settings. They allow tlsproxy(8) to load\nthe same certificate and private key information as the Postfix SMTP server, before dropping\nprivileges, so that the key files can be kept read-only for root. These settings can cur‐\nrently not be overruled by information in a tlsproxy(8) client request, but that limitation\nmay be removed in a future version.\n\ntlsproxytlsCAfile ($smtpdtlsCAfile)\nA file containing (PEM format) CA certificates of root CAs trusted to sign either re‐\nmote SMTP client certificates or intermediate CA certificates.\n\ntlsproxytlsCApath ($smtpdtlsCApath)\nA directory containing (PEM format) CA certificates of root CAs trusted to sign either\nremote SMTP client certificates or intermediate CA certificates.\n\ntlsproxytlsalwaysissuesessionids ($smtpdtlsalwaysissuesessionids)\nForce the Postfix tlsproxy(8) server to issue a TLS session id, even when TLS session\ncaching is turned off.\n\ntlsproxytlsaskccert ($smtpdtlsaskccert)\nAsk a remote SMTP client for a client certificate.\n\ntlsproxytlsccertverifydepth ($smtpdtlsccertverifydepth)\nThe verification depth for remote SMTP client certificates.\n\ntlsproxytlscertfile ($smtpdtlscertfile)\nFile with the Postfix tlsproxy(8) server RSA certificate in PEM format.\n\ntlsproxytlsciphers ($smtpdtlsciphers)\nThe minimum TLS cipher grade that the Postfix tlsproxy(8) server will use with oppor‐\ntunistic TLS encryption.\n\ntlsproxytlsdcertfile ($smtpdtlsdcertfile)\nFile with the Postfix tlsproxy(8) server DSA certificate in PEM format.\n\ntlsproxytlsdh1024paramfile ($smtpdtlsdh1024paramfile)\nFile with DH parameters that the Postfix tlsproxy(8) server should use with non-export\nEDH ciphers.\n\ntlsproxytlsdh512paramfile ($smtpdtlsdh512paramfile)\nFile with DH parameters that the Postfix tlsproxy(8) server should use with ex‐\nport-grade EDH ciphers.\n\ntlsproxytlsdkeyfile ($smtpdtlsdkeyfile)\nFile with the Postfix tlsproxy(8) server DSA private key in PEM format.\n\ntlsproxytlseccertfile ($smtpdtlseccertfile)\nFile with the Postfix tlsproxy(8) server ECDSA certificate in PEM format.\n\ntlsproxytlseckeyfile ($smtpdtlseckeyfile)\nFile with the Postfix tlsproxy(8) server ECDSA private key in PEM format.\n\ntlsproxytlseecdhgrade ($smtpdtlseecdhgrade)\nThe Postfix tlsproxy(8) server security grade for ephemeral elliptic-curve\nDiffie-Hellman (EECDH) key exchange.\n\ntlsproxytlsexcludeciphers ($smtpdtlsexcludeciphers)\nList of ciphers or cipher types to exclude from the tlsproxy(8) server cipher list at\nall TLS security levels.\n\ntlsproxytlsfingerprintdigest ($smtpdtlsfingerprintdigest)\nThe message digest algorithm to construct remote SMTP client-certificate fingerprints.\n\ntlsproxytlskeyfile ($smtpdtlskeyfile)\nFile with the Postfix tlsproxy(8) server RSA private key in PEM format.\n\ntlsproxytlsloglevel ($smtpdtlsloglevel)\nEnable additional Postfix tlsproxy(8) server logging of TLS activity.\n\ntlsproxytlsmandatoryciphers ($smtpdtlsmandatoryciphers)\nThe minimum TLS cipher grade that the Postfix tlsproxy(8) server will use with manda‐\ntory TLS encryption.\n\ntlsproxytlsmandatoryexcludeciphers ($smtpdtlsmandatoryexcludeciphers)\nAdditional list of ciphers or cipher types to exclude from the tlsproxy(8) server ci‐\npher list at mandatory TLS security levels.\n\ntlsproxytlsmandatoryprotocols ($smtpdtlsmandatoryprotocols)\nThe SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with mandatory TLS\nencryption.\n\ntlsproxytlsprotocols ($smtpdtlsprotocols)\nList of TLS protocols that the Postfix tlsproxy(8) server will exclude or include with\nopportunistic TLS encryption.\n\ntlsproxytlsreqccert ($smtpdtlsreqccert)\nWith mandatory TLS encryption, require a trusted remote SMTP client certificate in or‐\nder to allow TLS connections to proceed.\n\ntlsproxytlssecuritylevel ($smtpdtlssecuritylevel)\nThe SMTP TLS security level for the Postfix tlsproxy(8) server; when a non-empty value\nis specified, this overrides the obsolete parameters smtpdusetls and smtpden‐\nforcetls.\n\ntlsproxytlschainfiles ($smtpdtlschainfiles)\nFiles with the Postfix tlsproxy(8) server keys and certificate chains in PEM format.\n", "subsections": [] }, "STARTTLS CLIENT CONTROLS": { "content": "These settings are clones of Postfix SMTP client settings. They allow tlsproxy(8) to load\nthe same certificate and private key information as the Postfix SMTP client, before dropping\nprivileges, so that the key files can be kept read-only for root. Some settings may be over‐\nruled by information in a tlsproxy(8) client request.\n\nAvailable in Postfix version 3.4 and later:\n\ntlsproxyclientCAfile ($smtptlsCAfile)\nA file containing CA certificates of root CAs trusted to sign either remote TLS server\ncertificates or intermediate CA certificates.\n\ntlsproxyclientCApath ($smtptlsCApath)\nDirectory with PEM format Certification Authority certificates that the Postfix tl‐‐\nsproxy(8) client uses to verify a remote TLS server certificate.\n\ntlsproxyclientchainfiles ($smtptlschainfiles)\nFiles with the Postfix tlsproxy(8) client keys and certificate chains in PEM format.\n\ntlsproxyclientcertfile ($smtptlscertfile)\nFile with the Postfix tlsproxy(8) client RSA certificate in PEM format.\n\ntlsproxyclientkeyfile ($smtptlskeyfile)\nFile with the Postfix tlsproxy(8) client RSA private key in PEM format.\n\ntlsproxyclientdcertfile ($smtptlsdcertfile)\nFile with the Postfix tlsproxy(8) client DSA certificate in PEM format.\n\ntlsproxyclientdkeyfile ($smtptlsdkeyfile)\nFile with the Postfix tlsproxy(8) client DSA private key in PEM format.\n\ntlsproxyclienteccertfile ($smtptlseccertfile)\nFile with the Postfix tlsproxy(8) client ECDSA certificate in PEM format.\n\ntlsproxyclienteckeyfile ($smtptlseckeyfile)\nFile with the Postfix tlsproxy(8) client ECDSA private key in PEM format.\n\ntlsproxyclientfingerprintdigest ($smtptlsfingerprintdigest)\nThe message digest algorithm used to construct remote TLS server certificate finger‐\nprints.\n\ntlsproxyclientloglevel ($smtptlsloglevel)\nEnable additional Postfix tlsproxy(8) client logging of TLS activity.\n\ntlsproxyclientloglevelparameter (smtptlsloglevel)\nThe name of the parameter that provides the tlsproxyclientloglevel value.\n\ntlsproxyclientscertverifydepth ($smtptlsscertverifydepth)\nThe verification depth for remote TLS server certificates.\n\ntlsproxyclientsecuritylevel ($smtptlssecuritylevel)\nThe default TLS security level for the Postfix tlsproxy(8) client.\n\ntlsproxyclientpolicymaps ($smtptlspolicymaps)\nOptional lookup tables with the Postfix tlsproxy(8) client TLS security policy by\nnext-hop destination.\n\ntlsproxyclientusetls ($smtpusetls)\nOpportunistic mode: use TLS when a remote server announces TLS support.\n\ntlsproxyclientenforcetls ($smtpenforcetls)\nEnforcement mode: require that SMTP servers use TLS encryption.\n\ntlsproxyclientpersite ($smtptlspersite)\nOptional lookup tables with the Postfix tlsproxy(8) client TLS usage policy by\nnext-hop destination and by remote TLS server hostname.\n", "subsections": [] }, "OBSOLETE STARTTLS SUPPORT CONTROLS": { "content": "These parameters are supported for compatibility with smtpd(8) legacy parameters.\n\ntlsproxyusetls ($smtpdusetls)\nOpportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not re‐\nquire that clients use TLS encryption.\n\ntlsproxyenforcetls ($smtpdenforcetls)\nMandatory TLS: announce STARTTLS support to remote SMTP clients, and require that\nclients use TLS encryption.\n", "subsections": [] }, "RESOURCE CONTROLS": { "content": "tlsproxywatchdogtimeout (10s)\nHow much time a tlsproxy(8) process may take to process local or remote I/O before it\nis terminated by a built-in watchdog timer.\n", "subsections": [] }, "MISCELLANEOUS CONTROLS": { "content": "configdirectory (see 'postconf -d' output)\nThe default location of the Postfix main.cf and master.cf configuration files.\n\nprocessid (read-only)\nThe process ID of a Postfix command or daemon process.\n\nprocessname (read-only)\nThe process name of a Postfix command or daemon process.\n\nsyslogfacility (mail)\nThe syslog facility of Postfix logging.\n\nsyslogname (see 'postconf -d' output)\nA prefix that is prepended to the process name in syslog records, so that, for exam‐\nple, \"smtpd\" becomes \"prefix/smtpd\".\n\nAvailable in Postfix 3.3 and later:\n\nservicename (read-only)\nThe master.cf service name of a Postfix daemon process.\n", "subsections": [] }, "SEE ALSO": { "content": "postscreen(8), Postfix zombie blocker\nsmtpd(8), Postfix SMTP server\npostconf(5), configuration parameters\npostlogd(8), Postfix logging\nsyslogd(8), system logging\n", "subsections": [] }, "LICENSE": { "content": "The Secure Mailer license must be distributed with this software.\n", "subsections": [] }, "HISTORY": { "content": "This service was introduced with Postfix version 2.8.\n\nAUTHOR(S)\nWietse Venema\nIBM T.J. Watson Research\nP.O. Box 704\nYorktown Heights, NY 10598, USA\n\nWietse Venema\nGoogle, Inc.\n111 8th Avenue\nNew York, NY 10011, USA\n\n\n\nTLSPROXY(8postfix)", "subsections": [] } }, "summary": "tlsproxy - Postfix TLS proxy", "flags": [], "examples": [], "see_also": [ { "name": "postscreen", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/postscreen/8/json" }, { "name": "smtpd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/smtpd/8/json" }, { "name": "postconf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/postconf/5/json" }, { "name": "postlogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/postlogd/8/json" }, { "name": "syslogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/syslogd/8/json" } ] }