TLSMGR(8)                                               TLSMGR(8)

NAME
       tlsmgr - Postfix TLS session cache and PRNG manager

SYNOPSIS
       tlsmgr [generic Postfix daemon options]

DESCRIPTION
       The  tlsmgr(8) manages the Postfix TLS session caches.  It
       stores and retrieves cache entries on request by  smtpd(8)
       and  smtp(8)  processes,  and periodically removes entries
       that have expired.

       The tlsmgr(8) also manages the PRNG (pseudo random  number
       generator)  pool.  It  answers queries by the smtpd(8) and
       smtp(8) processes to seed their internal PRNG pools.

       The tlsmgr(8)'s PRNG pool  is  initially  seeded  from  an
       external  source (EGD, /dev/urandom, or regular file).  It
       is updated at configurable  pseudo-random  intervals  with
       data  from the external source. It is updated periodically
       with data from TLS session cache entries and with the time
       of  day,  and  is  updated with the time of day whenever a
       process requests tlsmgr(8) service.

       The tlsmgr(8) saves the PRNG state  to  an  exchange  file
       periodically  and  when  the process terminates, and reads
       the exchange file when initializing its PRNG.

SECURITY
       The tlsmgr(8) is not  security-sensitive.  The  code  that
       maintains  the  external  and internal PRNG pools does not
       "trust" the data that it manipulates, and  the  code  that
       maintains  the  TLS  session cache does not touch the con-
       tents of the cached entries, except for seeding its inter-
       nal PRNG pool.

       The  tlsmgr(8) can be run chrooted and with reduced privi-
       leges.  At process startup  it  connects  to  the  entropy
       source  and  exchange  file,  and creates or truncates the
       optional TLS session cache files.

DIAGNOSTICS
       Problems and transactions are logged to the syslog daemon.

BUGS
       There is no automatic means to limit the number of entries
       in the TLS session caches and/or the size of the TLS cache
       files.

CONFIGURATION PARAMETERS
       Changes  to  main.cf  are  not  picked  up  automatically,
       because tlsmgr(8) is a persistent processes.  Use the com-
       mand "postfix reload" after a configuration change.

       The  text  below  provides  only  a parameter summary. See
       postconf(5) for more details including examples.

TLS SESSION CACHE
       smtpd_tls_session_cache_database (empty)
              Name of the file containing  the  optional  Postfix
              SMTP server TLS session cache.

       smtpd_tls_session_cache_timeout (3600s)
              The expiration time of Postfix SMTP server TLS ses-
              sion cache information.

       smtp_tls_session_cache_database (empty)
              Name of the file containing  the  optional  Postfix
              SMTP client TLS session cache.

       smtp_tls_session_cache_timeout (3600s)
              The expiration time of Postfix SMTP client TLS ses-
              sion cache information.

PSEUDO RANDOM NUMBER GENERATOR
       tls_random_source (see 'postconf -d' output)
              The  external  entropy  source  for  the  in-memory
              tlsmgr(8)  pseudo  random  number  generator (PRNG)
              pool.

       tls_random_bytes (32)
              The number  of  bytes  that  tlsmgr(8)  reads  from
              $tls_random_source  when  (re)seeding the in-memory
              pseudo random number generator (PRNG) pool.

       tls_random_exchange_name (${config_directory}/prng_exch)
              Name of the pseudo random number  generator  (PRNG)
              state file that is maintained by tlsmgr(8).

       tls_random_prng_update_period (3600s)
              The  time between attempts by tlsmgr(8) to save the
              state of the pseudo random number generator  (PRNG)
              to    the    file    specified    with    $tls_ran-
              dom_exchange_name.

       tls_random_reseed_period (3600s)
              The maximal time between attempts by  tlsmgr(8)  to
              re-seed  the in-memory pseudo random number genera-
              tor (PRNG) pool from external sources.

MISCELLANEOUS CONTROLS
       config_directory (see 'postconf -d' output)
              The default location of  the  Postfix  main.cf  and
              master.cf configuration files.

       daemon_timeout (18000s)
              How  much time a Postfix daemon process may take to
              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.

       process_id (read-only)
              The  process ID of a Postfix command or daemon pro-
              cess.

       process_name (read-only)
              The process name of a  Postfix  command  or  daemon
              process.

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (postfix)
              The  mail system name that is prepended to the pro-
              cess  name  in  syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

SEE ALSO
       smtp(8), Postfix SMTP client
       smtpd(8), Postfix SMTP server
       postconf(5), configuration parameters
       master(5), generic daemon options
       master(8), process manager
       syslogd(8), system logging

README FILES
       TLS_README, Postfix TLS configuration and operation

LICENSE
       The Secure Mailer license must be  distributed  with  this
       software.

AUTHOR(S)
       Lutz Jaenicke
       BTU Cottbus
       Allgemeine Elektrotechnik
       Universitaetsplatz 3-4
       D-03044 Cottbus, Germany

       Adapted by:
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

                                                        TLSMGR(8)