Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.1.0 Debian 12.11.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.0 macOS 15.7 macOS 14.8 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

TLSPROXY(8)		    System Manager's Manual		   TLSPROXY(8)

NAME
       tlsproxy	- Postfix TLS proxy

SYNOPSIS
       tlsproxy	[generic Postfix daemon	options]

DESCRIPTION
       The  tlsproxy(8)	 server	 implements a two-way TLS proxy. It is used by
       the postscreen(8) server	to talk	SMTP-over-TLS with remote SMTP clients
       that are	not allowlisted	(including clients whose allowlist status  has
       expired),  and  by  the smtp(8) client to support TLS connection	reuse,
       but it should also work for non-SMTP protocols.

       Although	one tlsproxy(8)	process	can serve  multiple  sessions  at  the
       same  time,  it	is a good idea to allow	the number of processes	to in-
       crease with load, so that the service remains responsive.

PROTOCOL EXAMPLE
       The example below  concerns  postscreen(8).  However,  the  tlsproxy(8)
       server is agnostic of the application protocol, and the example is eas-
       ily adapted to other applications.

       After  receiving	a valid	remote SMTP client STARTTLS command, the post-
       screen(8) server	sends the remote SMTP client endpoint string, the  re-
       quested role (server), and the requested	timeout	to tlsproxy(8).	 post-
       screen(8)  then receives	a "TLS available" indication from tlsproxy(8).
       If the TLS service is available,	postscreen(8) sends  the  remote  SMTP
       client  file  descriptor	 to  tlsproxy(8),  and sends the plaintext 220
       greeting	to the remote SMTP client.  This triggers TLS negotiations be-
       tween the remote	SMTP client and	tlsproxy(8).  Upon completion  of  the
       TLS-level  handshake,  tlsproxy(8) translates between plaintext from/to
       postscreen(8) and ciphertext to/from the	remote SMTP client.

SECURITY
       The tlsproxy(8) server is moderately security-sensitive.	 It  talks  to
       untrusted  clients  on  the network. The	process	can be run chrooted at
       fixed low privilege.

DIAGNOSTICS
       Problems	and transactions are logged to syslogd(8) or postlogd(8).

CONFIGURATION PARAMETERS
       Changes to main.cf are not  picked  up  automatically,  as  tlsproxy(8)
       processes  may  run for a long time depending on	mail server load.  Use
       the command "postfix reload" to speed up	a change.

       The text	below provides only a parameter	summary. See  postconf(5)  for
       more details including examples.

STARTTLS GLOBAL	CONTROLS
       The  following settings are global and therefore	cannot be overruled by
       information specified in	a tlsproxy(8) client request.

       tls_append_default_CA (no)
	      Append the system-supplied default Certification Authority  cer-
	      tificates	  to   the   ones   specified	with  *_tls_CApath  or
	      *_tls_CAfile.

       tls_daemon_random_bytes (32)
	      The number of pseudo-random bytes	that an	 smtp(8)  or  smtpd(8)
	      process  requests	from the tlsmgr(8) server in order to seed its
	      internal pseudo random number generator (PRNG).

       tls_high_cipherlist (see	'postconf -d' output)
	      The OpenSSL cipherlist for "high"	grade ciphers.

       tls_medium_cipherlist (see 'postconf -d'	output)
	      The OpenSSL cipherlist for "medium" or higher grade ciphers.

       tls_null_cipherlist (eNULL:!aNULL)
	      The OpenSSL cipherlist for "NULL"	grade ciphers that provide au-
	      thentication without encryption.

       tls_eecdh_strong_curve (prime256v1)
	      The elliptic curve used by the Postfix SMTP server for  sensibly
	      strong ephemeral ECDH key	exchange.

       tls_eecdh_ultra_curve (secp384r1)
	      The elliptic curve used by the Postfix SMTP server for maximally
	      strong ephemeral ECDH key	exchange.

       tls_disable_workarounds (see 'postconf -d' output)
	      List or bit-mask of OpenSSL bug work-arounds to disable.

       tls_preempt_cipherlist (no)
	      With SSLv3 and later, use	the Postfix SMTP server's cipher pref-
	      erence  order  instead  of the remote client's cipher preference
	      order.

       Available in Postfix version 2.8..3.7:

       tls_low_cipherlist (see 'postconf -d' output)
	      The OpenSSL cipherlist for "low" or higher grade ciphers.

       tls_export_cipherlist (see 'postconf -d'	output)
	      The OpenSSL cipherlist for "export" or higher grade ciphers.

       Available in Postfix version 2.9	and later:

       tls_legacy_public_key_fingerprints (no)
	      A	temporary migration aid	for sites that	use  certificate  pub-
	      lic-key fingerprints with	Postfix	2.9.0..2.9.5, which use	an in-
	      correct algorithm.

       Available in Postfix version 2.11-3.1:

       tls_dane_digest_agility (on)
	      Configure	RFC7671	DANE TLSA digest algorithm agility.

       tls_dane_trust_anchor_digest_enable (yes)
	      Enable support for RFC 6698 (DANE	TLSA) DNS records that contain
	      digests of trust-anchors with certificate	usage "2".

       Available in Postfix version 2.11 and later:

       tlsmgr_service_name (tlsmgr)
	      The name of the tlsmgr(8)	service	entry in master.cf.

       Available in Postfix version 3.0	and later:

       tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0:
       aes-128-cbc)
	      Algorithm	used to	encrypt	RFC5077	TLS session tickets.

       openssl_path (openssl)
	      The location of the OpenSSL command line program openssl(1).

       Available in Postfix version 3.2	and later:

       tls_eecdh_auto_curves (see 'postconf -d'	output)
	      The  prioritized list of elliptic	curves,	that should be enabled
	      in the Postfix SMTP client and server.

       Available in Postfix version 3.4	and later:

       tls_server_sni_maps (empty)
	      Optional lookup tables that map names received from remote  SMTP
	      clients  via  the	 TLS Server Name Indication (SNI) extension to
	      the appropriate keys and certificate chains.

       Available in Postfix 3.5, 3.4.6,	3.3.5, 3.2.10, 3.1.13 and later:

       tls_fast_shutdown_enable	(yes)
	      A	workaround for implementations that hang Postfix  while	 shut-
	      ting down	a TLS session, until Postfix times out.

       Available in Postfix version 3.8	and later:

       tls_ffdhe_auto_groups (see 'postconf -d'	output)
	      The  prioritized	list  of finite-field Diffie-Hellman ephemeral
	      (FFDHE) key exchange groups supported by the Postfix SMTP	client
	      and server.

       Available in Postfix 3.9, 3.8.1,	3.7.6, 3.6.10, 3.5.20 and later:

       tls_config_file (default)
	      Optional configuration file with baseline	OpenSSL	settings.

       tls_config_name (empty)
	      The application name passed by Postfix to	OpenSSL	 library  ini-
	      tialization functions.

STARTTLS SERVER	CONTROLS
       These  settings are clones of Postfix SMTP server settings.  They allow
       tlsproxy(8) to load the same certificate	and private key	information as
       the Postfix SMTP	server,	before dropping	privileges, so	that  the  key
       files  can be kept read-only for	root. These settings can currently not
       be overruled by information in a	tlsproxy(8) client request,  but  that
       limitation may be removed in a future version.

       tlsproxy_tls_CAfile ($smtpd_tls_CAfile)
	      A	 file  containing  (PEM	 format)  CA  certificates of root CAs
	      trusted to sign either remote SMTP client	certificates or	inter-
	      mediate CA certificates.

       tlsproxy_tls_CApath ($smtpd_tls_CApath)
	      A	directory containing (PEM format) CA certificates of root  CAs
	      trusted to sign either remote SMTP client	certificates or	inter-
	      mediate CA certificates.

       tlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_ses-
       sion_ids)
	      Force  the Postfix tlsproxy(8) server to issue a TLS session id,
	      even when	TLS session caching is turned off.

       tlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert)
	      Ask a remote SMTP	client for a client certificate.

       tlsproxy_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)
	      The verification depth for remote	SMTP client certificates.

       tlsproxy_tls_cert_file ($smtpd_tls_cert_file)
	      File with	the Postfix tlsproxy(8)	server RSA certificate in  PEM
	      format.

       tlsproxy_tls_ciphers ($smtpd_tls_ciphers)
	      The minimum TLS cipher grade that	the Postfix tlsproxy(8)	server
	      will use with opportunistic TLS encryption.

       tlsproxy_tls_dcert_file ($smtpd_tls_dcert_file)
	      File  with the Postfix tlsproxy(8) server	DSA certificate	in PEM
	      format.

       tlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)
	      File with	DH parameters  that  the  Postfix  tlsproxy(8)	server
	      should use with non-export EDH ciphers.

       tlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file)
	      File  with  DH  parameters  that	the Postfix tlsproxy(8)	server
	      should use with export-grade EDH ciphers.

       tlsproxy_tls_dkey_file ($smtpd_tls_dkey_file)
	      File with	the Postfix tlsproxy(8)	server DSA private key in  PEM
	      format.

       tlsproxy_tls_eccert_file	($smtpd_tls_eccert_file)
	      File  with  the  Postfix tlsproxy(8) server ECDSA	certificate in
	      PEM format.

       tlsproxy_tls_eckey_file ($smtpd_tls_eckey_file)
	      File with	the Postfix tlsproxy(8)	server ECDSA  private  key  in
	      PEM format.

       tlsproxy_tls_eecdh_grade	($smtpd_tls_eecdh_grade)
	      The  Postfix tlsproxy(8) server security grade for ephemeral el-
	      liptic-curve Diffie-Hellman (EECDH) key exchange.

       tlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)
	      List of ciphers or cipher	types to exclude from the  tlsproxy(8)
	      server cipher list at all	TLS security levels.

       tlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)
	      The   message   digest   algorithm   to  construct  remote  SMTP
	      client-certificate fingerprints.

       tlsproxy_tls_key_file ($smtpd_tls_key_file)
	      File with	the Postfix tlsproxy(8)	server RSA private key in  PEM
	      format.

       tlsproxy_tls_loglevel ($smtpd_tls_loglevel)
	      Enable  additional Postfix tlsproxy(8) server logging of TLS ac-
	      tivity.

       tlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)
	      The minimum TLS cipher grade that	the Postfix tlsproxy(8)	server
	      will use with mandatory TLS encryption.

       tlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_ex-
       clude_ciphers)
	      Additional list of ciphers or cipher types to exclude  from  the
	      tlsproxy(8) server cipher	list at	mandatory TLS security levels.

       tlsproxy_tls_mandatory_protocols	($smtpd_tls_mandatory_protocols)
	      The SSL/TLS protocols accepted by	the Postfix tlsproxy(8)	server
	      with mandatory TLS encryption.

       tlsproxy_tls_protocols ($smtpd_tls_protocols)
	      List  of	TLS protocols that the Postfix tlsproxy(8) server will
	      exclude or include with opportunistic TLS	encryption.

       tlsproxy_tls_req_ccert ($smtpd_tls_req_ccert)
	      With mandatory TLS encryption, require  a	 trusted  remote  SMTP
	      client certificate in order to allow TLS connections to proceed.

       tlsproxy_tls_security_level ($smtpd_tls_security_level)
	      The  SMTP	TLS security level for the Postfix tlsproxy(8) server;
	      when a non-empty value is	specified, this	overrides the obsolete
	      parameters smtpd_use_tls and smtpd_enforce_tls.

       tlsproxy_tls_chain_files	($smtpd_tls_chain_files)
	      Files with the Postfix tlsproxy(8) server	keys  and  certificate
	      chains in	PEM format.

       Available in Postfix version 3.9	and later:

       tlsproxy_tls_enable_rpk ($smtpd_tls_enable_rpk)
	      Request  that remote SMTP	clients	send an	RFC7250	raw public key
	      instead of an X.509 certificate, when asking or requiring	client
	      authentication.

STARTTLS CLIENT	CONTROLS
       These settings are clones of Postfix SMTP client	settings.  They	 allow
       tlsproxy(8) to load the same certificate	and private key	information as
       the  Postfix  SMTP  client, before dropping privileges, so that the key
       files can be kept read-only for root. Some settings may be overruled by
       information in a	tlsproxy(8) client request.

       Available in Postfix version 3.4	and later:

       tlsproxy_client_CAfile ($smtp_tls_CAfile)
	      A	file containing	CA certificates	of root	CAs  trusted  to  sign
	      either  remote  TLS  server certificates or intermediate CA cer-
	      tificates.

       tlsproxy_client_CApath ($smtp_tls_CApath)
	      Directory	with PEM format	Certification  Authority  certificates
	      that  the	Postfix	tlsproxy(8) client uses	to verify a remote TLS
	      server certificate.

       tlsproxy_client_chain_files ($smtp_tls_chain_files)
	      Files with the Postfix tlsproxy(8) client	keys  and  certificate
	      chains in	PEM format.

       tlsproxy_client_cert_file ($smtp_tls_cert_file)
	      File  with the Postfix tlsproxy(8) client	RSA certificate	in PEM
	      format.

       tlsproxy_client_key_file	($smtp_tls_key_file)
	      File with	the Postfix tlsproxy(8)	client RSA private key in  PEM
	      format.

       tlsproxy_client_dcert_file ($smtp_tls_dcert_file)
	      File  with the Postfix tlsproxy(8) client	DSA certificate	in PEM
	      format.

       tlsproxy_client_dkey_file ($smtp_tls_dkey_file)
	      File with	the Postfix tlsproxy(8)	client DSA private key in  PEM
	      format.

       tlsproxy_client_eccert_file ($smtp_tls_eccert_file)
	      File  with  the  Postfix tlsproxy(8) client ECDSA	certificate in
	      PEM format.

       tlsproxy_client_eckey_file ($smtp_tls_eckey_file)
	      File with	the Postfix tlsproxy(8)	client ECDSA  private  key  in
	      PEM format.

       tlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)
	      The message digest algorithm used	to construct remote TLS	server
	      certificate fingerprints.

       tlsproxy_client_loglevel	($smtp_tls_loglevel)
	      Enable  additional Postfix tlsproxy(8) client logging of TLS ac-
	      tivity.

       tlsproxy_client_loglevel_parameter (smtp_tls_loglevel)
	      The   name   of	the   parameter	  that	 provides   the	   tl-
	      sproxy_client_loglevel value.

       tlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)
	      The verification depth for remote	TLS server certificates.

       tlsproxy_client_use_tls ($smtp_use_tls)
	      Opportunistic  mode:  use	TLS when a remote server announces TLS
	      support.

       tlsproxy_client_enforce_tls ($smtp_enforce_tls)
	      Enforcement mode:	require	that SMTP servers use TLS encryption.

       tlsproxy_client_per_site	($smtp_tls_per_site)
	      Optional lookup tables with the Postfix tlsproxy(8)  client  TLS
	      usage  policy  by	 next-hop destination and by remote TLS	server
	      hostname.

       Available in Postfix version 3.4-3.6:

       tlsproxy_client_level ($smtp_tls_security_level)
	      The default TLS  security	 level	for  the  Postfix  tlsproxy(8)
	      client.

       tlsproxy_client_policy ($smtp_tls_policy_maps)
	      Optional	lookup	tables with the	Postfix	tlsproxy(8) client TLS
	      security policy by next-hop destination.

       Available in Postfix version 3.7	and later:

       tlsproxy_client_security_level ($smtp_tls_security_level)
	      The default TLS  security	 level	for  the  Postfix  tlsproxy(8)
	      client.

       tlsproxy_client_policy_maps ($smtp_tls_policy_maps)
	      Optional	lookup	tables with the	Postfix	tlsproxy(8) client TLS
	      security policy by next-hop destination.

OBSOLETE STARTTLS SUPPORT CONTROLS
       These parameters	are supported for compatibility	with  smtpd(8)	legacy
       parameters.

       tlsproxy_use_tls	($smtpd_use_tls)
	      Opportunistic  TLS:  announce  STARTTLS  support	to remote SMTP
	      clients, but do not require that clients use TLS encryption.

       tlsproxy_enforce_tls ($smtpd_enforce_tls)
	      Mandatory	TLS: announce STARTTLS support to remote SMTP clients,
	      and require that clients use TLS encryption.

       tlsproxy_client_use_tls ($smtp_use_tls)
	      Opportunistic mode: use TLS when a remote	server	announces  TLS
	      support.

       tlsproxy_client_enforce_tls ($smtp_enforce_tls)
	      Enforcement mode:	require	that SMTP servers use TLS encryption.

RESOURCE CONTROLS
       tlsproxy_watchdog_timeout (10s)
	      How much time a tlsproxy(8) process may take to process local or
	      remote I/O before	it is terminated by a built-in watchdog	timer.

MISCELLANEOUS CONTROLS
       config_directory	(see 'postconf -d' output)
	      The  default  location of	the Postfix main.cf and	master.cf con-
	      figuration files.

       process_id (read-only)
	      The process ID of	a Postfix command or daemon process.

       process_name (read-only)
	      The process name of a Postfix command or daemon process.

       syslog_facility (mail)
	      The syslog facility of Postfix logging.

       syslog_name (see	'postconf -d' output)
	      A	prefix that  is	 prepended  to	the  process  name  in	syslog
	      records, so that,	for example, "smtpd" becomes "prefix/smtpd".

       Available in Postfix 3.3	and later:

       service_name (read-only)
	      The master.cf service name of a Postfix daemon process.

SEE ALSO
       postscreen(8), Postfix zombie blocker
       smtpd(8), Postfix SMTP server
       postconf(5), configuration parameters
       postlogd(8), Postfix logging
       syslogd(8), system logging

LICENSE
       The Secure Mailer license must be distributed with this software.

HISTORY
       This service was	introduced with	Postfix	version	2.8.

AUTHOR(S)
       Wietse Venema
       IBM T.J.	Watson Research
       P.O. Box	704
       Yorktown	Heights, NY 10598, USA

       Wietse Venema
       Google, Inc.
       111 8th Avenue
       New York, NY 10011, USA

								   TLSPROXY(8)

---

NAME | SYNOPSIS | DESCRIPTION | PROTOCOL EXAMPLE | SECURITY | DIAGNOSTICS | CONFIGURATION PARAMETERS | STARTTLS GLOBAL CONTROLS | STARTTLS SERVER CONTROLS | STARTTLS CLIENT CONTROLS | OBSOLETE STARTTLS SUPPORT CONTROLS | RESOURCE CONTROLS | MISCELLANEOUS CONTROLS | SEE ALSO | LICENSE | HISTORY | AUTHOR(S)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tlsproxy&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact