From a16bea1ca0aa3ef44919fbe045b9040874fd8628 Mon Sep 17 00:00:00 2001 From: John Denker Date: Fri, 1 Jan 2016 11:15:35 -0700 Subject: the big starttls patch --- qmail-smtpd.8 | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 'qmail-smtpd.8') diff --git a/qmail-smtpd.8 b/qmail-smtpd.8 index 3e6cce2..4e83fe1 100644 --- a/qmail-smtpd.8 +++ b/qmail-smtpd.8 @@ -19,6 +19,15 @@ must be supplied several environment variables; see .BR tcp-environ(5) . +If the environment variable +.B SMTPS +is non-empty, +.B qmail-smtpd +starts a TLS session (to support the deprecated SMTPS protocol, +normally on port 465). Otherwise, +.B qmail-smtpd +offers the STARTTLS extension to ESMTP. + .B qmail-smtpd is responsible for counting hops. It rejects any message with 100 or more @@ -76,6 +85,19 @@ may be of the form .BR @\fIhost , meaning every address at .IR host . + +.TP 5 +.I clientca.pem +A list of Certifying Authority (CA) certificates that are used to verify +the client-presented certificates during a TLS-encrypted session. + +.TP 5 +.I clientcrl.pem +A list of Certificate Revocation Lists (CRLs). If present it +should contain the CRLs of the CAs in +.I clientca.pem +and client certs will be checked for revocation. + .TP 5 .I databytes Maximum number of bytes allowed in a message, @@ -103,6 +125,18 @@ If the environment variable .B DATABYTES is set, it overrides .IR databytes . + +.TP 5 +.I dh2048.pem +If these 2048 bit DH parameters are provided, +.B qmail-smtpd +will use them for TLS sessions instead of generating one on-the-fly +(which is very timeconsuming). +.TP 5 +.I dh2048.pem +2048 bit counterpart for +.B dh2048.pem. + .TP 5 .I localiphost Replacement host name for local IP addresses. @@ -178,6 +212,19 @@ may include wildcards: Envelope recipient addresses without @ signs are always allowed through. + +.TP 5 +.I rsa512.pem +If this 512 bit RSA key is provided, +.B qmail-smtpd +will use it for TLS sessions instead of generating one on-the-fly. + +.TP 5 +.I servercert.pem +SSL certificate to be presented to clients in TLS-encrypted sessions. +Should contain both the certificate and the private key. Certifying Authority +(CA) and intermediate certificates can be added at the end of the file. + .TP 5 .I smtpgreeting SMTP greeting message. @@ -196,6 +243,24 @@ Number of seconds .B qmail-smtpd will wait for each new buffer of data from the remote SMTP client. Default: 1200. + +.TP 5 +.I tlsclients +A list of email addresses. When relay rules would reject an incoming message, +.B qmail-smtpd +can allow it if the client presents a certificate that can be verified against +the CA list in +.I clientca.pem +and the certificate email address is in +.IR tlsclients . + +.TP 5 +.I tlsserverciphers +A set of OpenSSL cipher strings. Multiple ciphers contained in a +string should be separated by a colon. If the environment variable +.B TLSCIPHERS +is set to such a string, it takes precedence. + .SH "SEE ALSO" tcp-env(1), tcp-environ(5), -- cgit v1.2.3