diff options
author | John Denker <jsd@av8n.com> | 2016-01-01 11:15:35 -0700 |
---|---|---|
committer | John Denker <jsd@av8n.com> | 2016-01-01 16:33:29 -0800 |
commit | a16bea1ca0aa3ef44919fbe045b9040874fd8628 (patch) | |
tree | 99ac443b96f8b89f8a480bb378b619d18e8cfc31 /qmail-smtpd.8 | |
parent | 4dabcdf185f53439af8fdf71bd2da7317336bcf0 (diff) |
the big starttls patch
Diffstat (limited to 'qmail-smtpd.8')
-rw-r--r-- | qmail-smtpd.8 | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/qmail-smtpd.8 b/qmail-smtpd.8 index 3e6cce2..4e83fe1 100644 --- a/qmail-smtpd.8 +++ b/qmail-smtpd.8 @@ -19,6 +19,15 @@ must be supplied several environment variables; see .BR tcp-environ(5) . +If the environment variable +.B SMTPS +is non-empty, +.B qmail-smtpd +starts a TLS session (to support the deprecated SMTPS protocol, +normally on port 465). Otherwise, +.B qmail-smtpd +offers the STARTTLS extension to ESMTP. + .B qmail-smtpd is responsible for counting hops. It rejects any message with 100 or more @@ -76,6 +85,19 @@ may be of the form .BR @\fIhost , meaning every address at .IR host . + +.TP 5 +.I clientca.pem +A list of Certifying Authority (CA) certificates that are used to verify +the client-presented certificates during a TLS-encrypted session. + +.TP 5 +.I clientcrl.pem +A list of Certificate Revocation Lists (CRLs). If present it +should contain the CRLs of the CAs in +.I clientca.pem +and client certs will be checked for revocation. + .TP 5 .I databytes Maximum number of bytes allowed in a message, @@ -103,6 +125,18 @@ If the environment variable .B DATABYTES is set, it overrides .IR databytes . + +.TP 5 +.I dh2048.pem +If these 2048 bit DH parameters are provided, +.B qmail-smtpd +will use them for TLS sessions instead of generating one on-the-fly +(which is very timeconsuming). +.TP 5 +.I dh2048.pem +2048 bit counterpart for +.B dh2048.pem. + .TP 5 .I localiphost Replacement host name for local IP addresses. @@ -178,6 +212,19 @@ may include wildcards: Envelope recipient addresses without @ signs are always allowed through. + +.TP 5 +.I rsa512.pem +If this 512 bit RSA key is provided, +.B qmail-smtpd +will use it for TLS sessions instead of generating one on-the-fly. + +.TP 5 +.I servercert.pem +SSL certificate to be presented to clients in TLS-encrypted sessions. +Should contain both the certificate and the private key. Certifying Authority +(CA) and intermediate certificates can be added at the end of the file. + .TP 5 .I smtpgreeting SMTP greeting message. @@ -196,6 +243,24 @@ Number of seconds .B qmail-smtpd will wait for each new buffer of data from the remote SMTP client. Default: 1200. + +.TP 5 +.I tlsclients +A list of email addresses. When relay rules would reject an incoming message, +.B qmail-smtpd +can allow it if the client presents a certificate that can be verified against +the CA list in +.I clientca.pem +and the certificate email address is in +.IR tlsclients . + +.TP 5 +.I tlsserverciphers +A set of OpenSSL cipher strings. Multiple ciphers contained in a +string should be separated by a colon. If the environment variable +.B TLSCIPHERS +is set to such a string, it takes precedence. + .SH "SEE ALSO" tcp-env(1), tcp-environ(5), |