The security of cryptographic software such as TLS depends
critically on the ability to generate unpredictable numbers for
keys and other information. To this end, the
maintains a Pseudo Random Number Generator (PRNG) pool. This is
queried by the
smtpd(8) processes when they initialize.
By default, these daemons request 32 bytes, the equivalent to 256
bits. This is more than sufficient to generate a 128bit (or 168bit)
tls_daemon_random_bytes = 32
In order to feed its in-memory PRNG pool, the
entropy from an external source, both at startup and during run-time.
Specify a good entropy source, like EGD or /dev/urandom; be sure
to only use non-blocking sources (on OpenBSD, use /dev/arandom
tlsmgr(8) complains about /dev/urandom timeout errors).
If the entropy source is not a
regular file, you must prepend the source type to the source name:
"dev:" for a device special file, or "egd:" for a source with EGD
compatible socket interface.
Examples (specify only one in
tls_random_source = dev:/dev/urandom
tls_random_source = egd:/var/run/egd-pool
tlsmgr(8) reads 32 bytes from the external entropy
source at each seeding event. This amount (256bits) is more than
sufficient for generating a 128bit symmetric key. With EGD and
device entropy sources, the
tlsmgr(8) limits the amount of data
read at each step to 255 bytes. If you specify a regular file as
entropy source, a larger amount of data can be read.
tls_random_bytes = 32
In order to update its in-memory PRNG pool, the
queries the external entropy source again after a pseudo-random
amount of time. The time is calculated using the PRNG, and is
between 0 and the maximal time specified with
The default maximal time interval is 1 hour.
tls_random_reseed_period = 3600s
tlsmgr(8) process saves the PRNG state to a persistent
exchange file at regular times and when the process terminates, so
that it can recover the PRNG state the next time it starts up.
This file is created when it does not exist. Its default location
is under the Postfix configuration directory, which is not the
proper place for information that is modified by Postfix. Instead,
the file location should probably be on the /var partition (but
not inside the chroot jail).
tls_random_exchange_name = /etc/postfix/prng_exch
tls_random_prng_update_period = 3600s