summaryrefslogtreecommitdiff
path: root/qmail-smtpd.8
diff options
context:
space:
mode:
authorJohn Denker <jsd@av8n.com>2016-01-01 18:15:35 (GMT)
committerJohn Denker <jsd@av8n.com>2016-01-02 00:33:29 (GMT)
commita16bea1ca0aa3ef44919fbe045b9040874fd8628 (patch)
tree99ac443b96f8b89f8a480bb378b619d18e8cfc31 /qmail-smtpd.8
parent4dabcdf185f53439af8fdf71bd2da7317336bcf0 (diff)
the big starttls patch
Diffstat (limited to 'qmail-smtpd.8')
-rw-r--r--qmail-smtpd.865
1 files changed, 65 insertions, 0 deletions
diff --git a/qmail-smtpd.8 b/qmail-smtpd.8
index 3e6cce2..4e83fe1 100644
--- a/qmail-smtpd.8
+++ b/qmail-smtpd.8
@@ -19,6 +19,15 @@ must be supplied several environment variables;
see
.BR tcp-environ(5) .
+If the environment variable
+.B SMTPS
+is non-empty,
+.B qmail-smtpd
+starts a TLS session (to support the deprecated SMTPS protocol,
+normally on port 465). Otherwise,
+.B qmail-smtpd
+offers the STARTTLS extension to ESMTP.
+
.B qmail-smtpd
is responsible for counting hops.
It rejects any message with 100 or more
@@ -76,6 +85,19 @@ may be of the form
.BR @\fIhost ,
meaning every address at
.IR host .
+
+.TP 5
+.I clientca.pem
+A list of Certifying Authority (CA) certificates that are used to verify
+the client-presented certificates during a TLS-encrypted session.
+
+.TP 5
+.I clientcrl.pem
+A list of Certificate Revocation Lists (CRLs). If present it
+should contain the CRLs of the CAs in
+.I clientca.pem
+and client certs will be checked for revocation.
+
.TP 5
.I databytes
Maximum number of bytes allowed in a message,
@@ -103,6 +125,18 @@ If the environment variable
.B DATABYTES
is set, it overrides
.IR databytes .
+
+.TP 5
+.I dh2048.pem
+If these 2048 bit DH parameters are provided,
+.B qmail-smtpd
+will use them for TLS sessions instead of generating one on-the-fly
+(which is very timeconsuming).
+.TP 5
+.I dh2048.pem
+2048 bit counterpart for
+.B dh2048.pem.
+
.TP 5
.I localiphost
Replacement host name for local IP addresses.
@@ -178,6 +212,19 @@ may include wildcards:
Envelope recipient addresses without @ signs are
always allowed through.
+
+.TP 5
+.I rsa512.pem
+If this 512 bit RSA key is provided,
+.B qmail-smtpd
+will use it for TLS sessions instead of generating one on-the-fly.
+
+.TP 5
+.I servercert.pem
+SSL certificate to be presented to clients in TLS-encrypted sessions.
+Should contain both the certificate and the private key. Certifying Authority
+(CA) and intermediate certificates can be added at the end of the file.
+
.TP 5
.I smtpgreeting
SMTP greeting message.
@@ -196,6 +243,24 @@ Number of seconds
.B qmail-smtpd
will wait for each new buffer of data from the remote SMTP client.
Default: 1200.
+
+.TP 5
+.I tlsclients
+A list of email addresses. When relay rules would reject an incoming message,
+.B qmail-smtpd
+can allow it if the client presents a certificate that can be verified against
+the CA list in
+.I clientca.pem
+and the certificate email address is in
+.IR tlsclients .
+
+.TP 5
+.I tlsserverciphers
+A set of OpenSSL cipher strings. Multiple ciphers contained in a
+string should be separated by a colon. If the environment variable
+.B TLSCIPHERS
+is set to such a string, it takes precedence.
+
.SH "SEE ALSO"
tcp-env(1),
tcp-environ(5),