Linux » Man Pages
find in page
tlsmgr [generic Postfix daemon options]
The tlsmgr process does housekeeping on the session cache database
files. It runs through the databases and removes expired entries and
entries written by older (incompatible) versions.
The tlsmgr is responsible for the PRNG handling. The used internal
OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool is
initially seeded at startup from an external source (EGD or /dev/uran-
dom) and additional seed is obtained later during program run at a con-
figurable period. The exact time of seed query is using random informa-
tion and is equally distributed in the range of [0-tls_ran-
dom_reseed_period] with a tls_random_reseed_period having a default of
Tlsmgr can be run chrooted and with dropped privileges, as it will con-
nect to the entropy source at startup.
The PRNG is additionally seeded internally by the data found in the
session cache and timevalues.
Tlsmgr reads the old value of the exchange file at startup to keep
entropy already collected during previous runs.
From the PRNG random pool a cryptographically strong 1024 byte random
sequence is written into the PRNG exchange file. The file is updated
periodically with the time changing randomly from [0-tls_ran-
Tlsmgr is not security-sensitive. It only deals with external data to
be fed into the PRNG, the contents is never trusted. The session cache
housekeeping will only remove entries if expired and will never touch
the contents of the cached data.
Problems and transactions are logged to the syslog daemon.
There is no automatic means to limit the number of entries in the ses-
sion caches and/or the size of the session cache files.
The following main.cf parameters are especially relevant to this pro-
gram. See the Postfix main.cf file for syntax details and for default
values. Use the postfix reload command after a configuration change.
Name of the SDBM file (type sdbm:) containing the SMTP server
session cache. If the file does not exist, it is created.
Expiry time of SMTP client session cache entries in seconds.
Entries older than this are removed from the session cache. A
cleanup-run is performed periodically every smtp_tls_ses-
sion_cache_timeout seconds. Default is 3600 (= 1 hour).
Pseudo Random Number Generator
Name of the EGD socket or device or regular file to obtain
entropy from. The type of entropy source must be specified by
preceding the name with the appropriate type:
egd:/path/to/egd_socket, dev:/path/to/devicefile, or
/path/to/regular/file. tlsmgr opens tls_random_source and tries
to read tls_random_bytes from it.
Number of bytes to be read from tls_random_source. Default
value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
Name of the file written by tlsmgr and read by smtp and smtpd at
startup. The length is 1024 bytes. Default value is /etc/post-
Time in seconds until the next reseed from external sources is
due. This is the maximum value. The actual point in time is
calculated with a random factor equally distributed between 0
and this maximum value. Default is 3600 (= 60 minutes).
Time in seconds until the PRNG exchange file is updated with new
pseude random values. This is the maximum value. The actual
point in time is calculated with a random factor equally dis-
tributed between 0 and this maximum value. Default is 60 (= 1
smtp(8) SMTP client
smtpd(8) SMTP server
The Secure Mailer license must be distributed with this software.
Output converted with
what's new |