Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Compatibility with Postfix < 2.2 TLS support

Postfix version 2.2 TLS support is based on the Postfix/TLS patch by Lutz Jänicke, but differs in a few minor ways.

  • main.cf: Specify "btree" instead of "sdbm" for TLS session cache databases.

    TLS session cache databases are now accessed only by the tlsmgr(8) process, so there are no more concurrency issues. Although Postfix has an sdbm client, the sdbm library (1000 lines of code) is not included with Postfix.

    TLS session caches can use any database that can store objects of several kbytes or more, and that implements the sequence operation. In most cases, btree databases should be adequate.

    NOTE: You cannot use DBM databases. TLS session objects are too large.

  • master.cf: Specify "unix" instead of "fifo" as the tlsmgr service type.

    The smtp(8) and smtpd(8) processes now use a client-server protocol in order to access the tlsmgr(8) pseudo-random number generation (PRNG) pool, and in order to access the TLS session cache databases. Such a protocol cannot be run across fifos.

  • smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the global " smtp_tls_enforce_peername = yes" setting.

  • smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and next-hop destination) produces counter-intuitive results for different main.cf settings. TLS is enabled with " smtp_tls_enforce_peername = no", but it is disabled when both " smtp_enforce_tls = yes" and " smtp_tls_enforce_peername = yes".

The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2 support cycle.

Postfix Documentation
Previous Page Home Next Page