| tlswrapper-smtp(1) | General Commands Manual | tlswrapper-smtp(1) |
NAME¶
tlswrapper-smtp - TLS encryption wrapper - smtp helper
SYNOPSIS¶
tlswrapper-smtp [ options ] prog
DESCRIPTION¶
The tlswrapper-smtp adds STARTTLS support to old inetd-style SMTP servers which doesn't support STARTTLS naturally. Is executed as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-smtp <--> smtpprogram
OPTIONS¶
- -q
- Quiet mode. No error messages.
- -v
- Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.
- -t seconds
- Set the SMTP session timeout to seconds seconds. (default 600).
- -T seconds
- Set the connect/read/write timeout to seconds seconds. (default 15).
- -u user
- Run program prog under a specified user's uid and gid
- -g host:port
- Enable greylist support (postgrey protocol) and use server running on host:port .
- -c
- Handle communication to greylist server in fail-closed mode. If a greylist lookup fails temporarily, tlswrapper-smtp exits with status 111.
- -C
- Handle communication to greylist server in fail-open mode. If a greylist lookup fails temporarily, assume that the address is not greylisted (default).
- -J jaildir
- Chroot into a specified jaildir (default: /var/lib/tlswraper/empty).
- -j jailuser
- Run under a specified jailuser's uid and gid. If unset run under random uid and gid.
- prog
- program
SECURITY¶
JAIL - Privilege separation, filesystem isolation, limits
The tlswrapper-smtp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.
EXAMPLES¶
run QMAIL qmail-smtpd on port 25 with STARTTLS enabled (without patching QMAIL):
exec softlimit -m 64000000 -f 100000000 \ tcpserver -HRDl0 0 25 \ tlswrapper -v -n -f /etc/ssl/cert.pem \ tlswrapper-smtp -v -u qmaild \ qmail-smtpd