SGI Techpubs Library

Linux  »  Man Pages
find in page

tlsmgr


SYNOPSIS

       tlsmgr [generic Postfix daemon options]


DESCRIPTION

       The  tlsmgr  process  does  housekeeping  on the session cache database
       files. It runs through the databases and removes  expired  entries  and
       entries written by older (incompatible) versions.

       The  tlsmgr  is  responsible  for  the PRNG handling. The used internal
       OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The  pool  is
       initially  seeded at startup from an external source (EGD or /dev/uran-
       dom) and additional seed is obtained later during program run at a con-
       figurable period. The exact time of seed query is using random informa-
       tion  and  is  equally  distributed  in  the   range   of   [0-tls_ran-
       dom_reseed_period]  with a tls_random_reseed_period having a default of
       1 hour.

       Tlsmgr can be run chrooted and with dropped privileges, as it will con-
       nect to the entropy source at startup.

       The  PRNG  is  additionally  seeded internally by the data found in the
       session cache and timevalues.

       Tlsmgr reads the old value of the exchange  file  at  startup  to  keep
       entropy already collected during previous runs.

       From  the  PRNG random pool a cryptographically strong 1024 byte random
       sequence is written into the PRNG exchange file. The  file  is  updated
       periodically   with   the   time  changing  randomly  from  [0-tls_ran-
       dom_prng_update_period].


STANDARDS


SECURITY

       Tlsmgr is not security-sensitive. It only deals with external  data  to
       be  fed into the PRNG, the contents is never trusted. The session cache
       housekeeping will only remove entries if expired and will  never  touch
       the contents of the cached data.


DIAGNOSTICS

       Problems and transactions are logged to the syslog daemon.


BUGS

       There  is no automatic means to limit the number of entries in the ses-
       sion caches and/or the size of the session cache files.


CONFIGURATION PARAMETERS

       The following main.cf parameters are especially relevant to  this  pro-
       gram.  See  the Postfix main.cf file for syntax details and for default
       values. Use the postfix reload command after a configuration change.


Session Cache

       smtpd_tls_session_cache_database
              Name of the SDBM file (type sdbm:) containing  the  SMTP  server
              session cache. If the file does not exist, it is created.

       smtpd_tls_session_cache_timeout
       smtp_tls_session_cache_timeout
              Expiry time of SMTP client session  cache  entries  in  seconds.
              Entries  older  than  this are removed from the session cache. A
              cleanup-run  is  performed  periodically   every   smtp_tls_ses-
              sion_cache_timeout seconds. Default is 3600 (= 1 hour).


Pseudo Random Number Generator

       tls_random_source
              Name  of  the  EGD  socket  or  device or regular file to obtain
              entropy from. The type of entropy source must  be  specified  by
              preceding     the    name    with    the    appropriate    type:
              egd:/path/to/egd_socket,       dev:/path/to/devicefile,       or
              /path/to/regular/file.  tlsmgr opens tls_random_source and tries
              to read tls_random_bytes from it.

       tls_random_bytes
              Number of bytes to  be  read  from  tls_random_source.   Default
              value is 32 bytes. If using EGD, a maximum of 255 bytes is read.

       tls_random_exchange_name
              Name of the file written by tlsmgr and read by smtp and smtpd at
              startup.  The  length is 1024 bytes. Default value is /etc/post-
              fix/prng_exch.

       tls_random_reseed_period
              Time in seconds until the next reseed from external  sources  is
              due.   This  is  the  maximum value. The actual point in time is
              calculated with a random factor equally  distributed  between  0
              and this maximum value. Default is 3600 (= 60 minutes).

       tls_random_prng_update_period
              Time in seconds until the PRNG exchange file is updated with new
              pseude random values. This is  the  maximum  value.  The  actual
              point  in  time  is calculated with a random factor equally dis-
              tributed between 0 and this maximum value. Default is  60  (=  1
              minute).


SEE ALSO

       smtp(8) SMTP client
       smtpd(8) SMTP server


LICENSE

       The Secure Mailer license must be distributed with this software.


AUTHOR(S)

                                                                     TLSMGR(8)

Output converted with man2html


home/search | what's new | help