TLSPROXY(8postfix) | TLSPROXY(8postfix) |
tlsproxy - Postfix TLS proxy
tlsproxy [generic Postfix daemon options]
The tlsproxy(8) server implements a two-way TLS proxy. It is used by the postscreen(8) server to talk SMTP-over-TLS with remote SMTP clients that are not allowlisted (including clients whose allowlist status has expired), and by the smtp(8) client to support TLS connection reuse, but it should also work for non-SMTP protocols.
Although one tlsproxy(8) process can serve multiple sessions at the same time, it is a good idea to allow the number of processes to increase with load, so that the service remains responsive.
The example below concerns postscreen(8). However, the tlsproxy(8) server is agnostic of the application protocol, and the example is easily adapted to other applications.
After receiving a valid remote SMTP client STARTTLS command, the postscreen(8) server sends the remote SMTP client endpoint string, the requested role (server), and the requested timeout to tlsproxy(8). postscreen(8) then receives a "TLS available" indication from tlsproxy(8). If the TLS service is available, postscreen(8) sends the remote SMTP client file descriptor to tlsproxy(8), and sends the plaintext 220 greeting to the remote SMTP client. This triggers TLS negotiations between the remote SMTP client and tlsproxy(8). Upon completion of the TLS-level handshake, tlsproxy(8) translates between plaintext from/to postscreen(8) and ciphertext to/from the remote SMTP client.
The tlsproxy(8) server is moderately security-sensitive. It talks to untrusted clients on the network. The process can be run chrooted at fixed low privilege.
Problems and transactions are logged to syslogd(8) or postlogd(8).
Changes to main.cf are not picked up automatically, as tlsproxy(8) processes may run for a long time depending on mail server load. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details including examples.
The following settings are global and therefore cannot be overruled by information specified in a tlsproxy(8) client request.
Available in Postfix version 2.9 and later:
Available in Postfix version 2.11-3.1:
Available in Postfix version 2.11 and later:
Available in Postfix version 3.0 and later:
Available in Postfix version 3.2 and later:
Available in Postfix version 3.4 and later:
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
These settings are clones of Postfix SMTP server settings. They allow tlsproxy(8) to load the same certificate and private key information as the Postfix SMTP server, before dropping privileges, so that the key files can be kept read-only for root. These settings can currently not be overruled by information in a tlsproxy(8) client request, but that limitation may be removed in a future version.
These settings are clones of Postfix SMTP client settings. They allow tlsproxy(8) to load the same certificate and private key information as the Postfix SMTP client, before dropping privileges, so that the key files can be kept read-only for root. Some settings may be overruled by information in a tlsproxy(8) client request.
Available in Postfix version 3.4 and later:
Available in Postfix version 3.4-3.6:
Available in Postfix version 3.7 and later:
These parameters are supported for compatibility with smtpd(8) legacy parameters.
Available in Postfix 3.3 and later:
postscreen(8), Postfix zombie blocker smtpd(8), Postfix SMTP server postconf(5), configuration parameters postlogd(8), Postfix logging syslogd(8), system logging
The Secure Mailer license must be distributed with this software.
This service was introduced with Postfix version 2.8.
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA Wietse Venema Google, Inc. 111 8th Avenue New York, NY 10011, USA