NAME

tlswrapper-smtp - TLS encryption wrapper - smtp helper

SYNOPSIS

tlswrapper-smtp [ options ] prog

DESCRIPTION

The tlswrapper-smtp adds STARTTLS support to old inetd-style SMTP servers which doesn't support STARTTLS naturally. Is executed as follows:

Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-smtp <--> smtpprogram

OPTIONS

-q

Quiet mode. No error messages.

-v

Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.

-t seconds

Set the SMTP session timeout to seconds seconds. (default 600).

-T seconds

Set the connect/read/write timeout to seconds seconds. (default 15).

-u user

Run program prog under a specified user's uid and gid

-g host:port

Enable greylist support (postgrey protocol) and use server running on host:port .

-c

Handle communication to greylist server in fail-closed mode. If a greylist lookup fails temporarily, tlswrapper-smtp exits with status 111.

-C

Handle communication to greylist server in fail-open mode. If a greylist lookup fails temporarily, assume that the address is not greylisted (default).

-J jaildir

Chroot into a specified jaildir (default: /var/lib/tlswraper/empty).

-j jailuser

Run under a specified jailuser's uid and gid. If unset run under random uid and gid.

prog

program

SECURITY

JAIL - Privilege separation, filesystem isolation, limits

The tlswrapper-smtp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.

EXAMPLES

run QMAIL qmail-smtpd on port 25 with STARTTLS enabled (without patching QMAIL):

exec softlimit -m 64000000 -f 100000000 \
tcpserver -HRDl0 0 25 \
tlswrapper -v -n -f /etc/ssl/cert.pem \
tlswrapper-smtp -v -u qmaild \
qmail-smtpd

SEE ALSO

tlswrapper(1)