TLSMGR(8)                                                            TLSMGR(8)

       tlsmgr - Postfix TLS session cache and PRNG manager

       tlsmgr [generic Postfix daemon options]

       The  tlsmgr(8) manages the Postfix TLS session caches.  It
       stores and retrieves cache entries on request by  smtpd(8)
       and  smtp(8)  processes,  and periodically removes entries
       that have expired.

       The tlsmgr(8) also manages the PRNG (pseudo random  number
       generator)  pool.  It  answers queries by the smtpd(8) and
       smtp(8) processes to seed their internal PRNG pools.

       The tlsmgr(8)'s PRNG pool  is  initially  seeded  from  an
       external  source (EGD, /dev/urandom, or regular file).  It
       is updated at configurable  pseudo-random  intervals  with
       data  from the external source. It is updated periodically
       with data from TLS session cache entries and with the time
       of  day,  and  is  updated with the time of day whenever a
       process requests tlsmgr(8) service.

       The tlsmgr(8) saves the PRNG state  to  an  exchange  file
       periodically  and  when  the process terminates, and reads
       the exchange file when initializing its PRNG.

       The tlsmgr(8) is not  security-sensitive.  The  code  that
       maintains  the  external  and internal PRNG pools does not
       "trust" the data that it manipulates, and  the  code  that
       maintains  the  TLS  session cache does not touch the con-
       tents of the cached entries, except for seeding its inter-
       nal PRNG pool.

       The  tlsmgr(8) can be run chrooted and with reduced privi-
       leges.  At process startup  it  connects  to  the  entropy
       source  and  exchange  file,  and creates or truncates the
       optional TLS session cache files.

       With Postfix version  2.5  and  later,  the  tlsmgr(8)  no
       longer  uses  root  privileges  when  opening cache files.
       These files should now be stored under  the  Postfix-owned
       data_directory.   As a migration aid, an attempt to open a
       cache file under a non-Postfix directory is redirected  to
       the Postfix-owned data_directory, and a warning is logged.

       Problems and transactions are logged to the syslog daemon.

       There is no automatic means to limit the number of entries
       in the TLS session caches and/or the size of the TLS cache

       Changes  to  are  not  picked  up  automatically,
       because tlsmgr(8) is a persistent processes.  Use the com-
       mand "postfix reload" after a configuration change.

       The  text  below  provides  only  a parameter summary. See
       postconf(5) for more details including examples.

       lmtp_tls_loglevel (0)
              The LMTP-specific version of the  smtp_tls_loglevel
              configuration parameter.

       lmtp_tls_session_cache_database (empty)
              The  LMTP-specific  version  of  the  smtp_tls_ses-
              sion_cache_database configuration parameter.

       lmtp_tls_session_cache_timeout (3600s)
              The  LMTP-specific  version  of  the  smtp_tls_ses-
              sion_cache_timeout configuration parameter.

       smtp_tls_loglevel (0)
              Enable  additional  Postfix  SMTP client logging of
              TLS activity.

       smtp_tls_session_cache_database (empty)
              Name of the file containing  the  optional  Postfix
              SMTP client TLS session cache.

       smtp_tls_session_cache_timeout (3600s)
              The expiration time of Postfix SMTP client TLS ses-
              sion cache information.

       smtpd_tls_loglevel (0)
              Enable additional Postfix SMTP  server  logging  of
              TLS activity.

       smtpd_tls_session_cache_database (empty)
              Name  of  the  file containing the optional Postfix
              SMTP server TLS session cache.

       smtpd_tls_session_cache_timeout (3600s)
              The expiration time of Postfix SMTP server TLS ses-
              sion cache information.

       tls_random_source (see 'postconf -d' output)
              The  external  entropy  source  for  the  in-memory
              tlsmgr(8) pseudo  random  number  generator  (PRNG)

       tls_random_bytes (32)
              The  number  of  bytes  that  tlsmgr(8)  reads from
              $tls_random_source when (re)seeding  the  in-memory
              pseudo random number generator (PRNG) pool.

       tls_random_exchange_name (see 'postconf -d' output)
              Name  of  the pseudo random number generator (PRNG)
              state file that is maintained by tlsmgr(8).

       tls_random_prng_update_period (3600s)
              The time between attempts by tlsmgr(8) to save  the
              state  of the pseudo random number generator (PRNG)
              to    the    file    specified    with    $tls_ran-

       tls_random_reseed_period (3600s)
              The  maximal  time between attempts by tlsmgr(8) to
              re-seed the in-memory pseudo random number  genera-
              tor (PRNG) pool from external sources.

       config_directory (see 'postconf -d' output)
              The  default  location  of  the Postfix and
     configuration files.

       data_directory (see 'postconf -d' output)
              The directory with Postfix-writable data files (for
              example: caches, pseudo-random numbers).

       daemon_timeout (18000s)
              How  much time a Postfix daemon process may take to
              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.

       process_id (read-only)
              The  process  ID  of  a  Postfix  command or daemon

       process_name (read-only)
              The process name of a  Postfix  command  or  daemon

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (see 'postconf -d' output)
              The  mail  system  name  that  is  prepended to the
              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

       smtp(8), Postfix SMTP client
       smtpd(8), Postfix SMTP server
       postconf(5), configuration parameters
       master(5), generic daemon options
       master(8), process manager
       syslogd(8), system logging

       TLS_README, Postfix TLS configuration and operation

       The Secure Mailer license must be  distributed  with  this

       Lutz Jaenicke
       BTU Cottbus
       Allgemeine Elektrotechnik
       Universitaetsplatz 3-4
       D-03044 Cottbus, Germany

       Adapted by:
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA