687
edits
Changes
From SME Server
Jump to navigationJump to searchCreated page with "<span id="_top">Qpsmtpd#Plugins</span> = NAME = tls - plugin to support STARTTLS = SYNOPSIS = # in config/plugins tls ['''cert_path priv_key_pa..."
<span id="_top">[[Qpsmtpd#Plugins]]</span>
= [[#___top|NAME]] =
tls - plugin to support STARTTLS
= [[#___top|SYNOPSIS]] =
# in config/plugins
tls ['''cert_path priv_key_path ca_path dhparam_path''']
; '''cert_path'''
: Path to the server certificate file. Default: ''ssl/qpsmtpd-server.crt''
; '''priv_key_path'''
: Path to the private key file. Default: ''ssl/qpsmtpd-server.key''
; '''ca_path'''
: Path to the certificate authority file. Default: ''ssl/qpsmtpd-ca.crt''
; '''dhparam_path'''
: Path to the DH parameter file if you want Diffie-Hellman key exchange. Default: ''ssl/qpsmtpd-dhparam.pem''
= [[#___top|DESCRIPTION]] =
This plugin implements basic TLS support. It can also be used to support port 465 (SMTP over SSL), but only with qpsmtpd-forkserver. In this case, be sure to load plugins/tls before any other connect plugins and start qpsmtpd like this:
<pre> qpsmtpd-forkserver --port 25 --port 465</pre>
You can also specify multiple --listen-address options as well; see the help for qpsmtpd-forkserver for more details.
If TLS is successfully negotiated then the <tt>tls_enabled</tt> field in the Connection notes is set. If you wish to make TLS mandatory you should check that field and take appropriate action. Note that you can only do that from MAIL FROM onwards.
Use the script <tt>plugins/tls_cert</tt> to automatically generate a self-signed certificate with the appropriate characteristics. Otherwise, you should give absolute pathnames to the certificate, key, and the CA root cert used to sign that certificate.
= [[#___top|CIPHERS and COMPATIBILITY]] =
By default, we use only the plugins that openssl considers to be "high security". If you need to tweak the available ciphers for some broken client (such as Versamail 3.x), have a look at the available ciphers at [http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS], and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or "HIGH:MEDIUM")
= [[#___top|SSL/TLS protocols versions]] =
By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1, TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
SSLv23:!SSLv2:!SSLv3:!TLSv1
<!-- Generated Sun Jul 30 08:26:42 EDT 2017 using
perldoc -T -ohtml /usr/share/qpsmtpd/plugins/tls |pandoc -f html -t mediawiki |sed 1 i\\n\n\n<span id="_top">[[Qpsmtpd#Plugins]]</span> |sed -e s#</d.>##
-->
----
[[Category:Qpsmtpd|tls]]
= [[#___top|NAME]] =
tls - plugin to support STARTTLS
= [[#___top|SYNOPSIS]] =
# in config/plugins
tls ['''cert_path priv_key_path ca_path dhparam_path''']
; '''cert_path'''
: Path to the server certificate file. Default: ''ssl/qpsmtpd-server.crt''
; '''priv_key_path'''
: Path to the private key file. Default: ''ssl/qpsmtpd-server.key''
; '''ca_path'''
: Path to the certificate authority file. Default: ''ssl/qpsmtpd-ca.crt''
; '''dhparam_path'''
: Path to the DH parameter file if you want Diffie-Hellman key exchange. Default: ''ssl/qpsmtpd-dhparam.pem''
= [[#___top|DESCRIPTION]] =
This plugin implements basic TLS support. It can also be used to support port 465 (SMTP over SSL), but only with qpsmtpd-forkserver. In this case, be sure to load plugins/tls before any other connect plugins and start qpsmtpd like this:
<pre> qpsmtpd-forkserver --port 25 --port 465</pre>
You can also specify multiple --listen-address options as well; see the help for qpsmtpd-forkserver for more details.
If TLS is successfully negotiated then the <tt>tls_enabled</tt> field in the Connection notes is set. If you wish to make TLS mandatory you should check that field and take appropriate action. Note that you can only do that from MAIL FROM onwards.
Use the script <tt>plugins/tls_cert</tt> to automatically generate a self-signed certificate with the appropriate characteristics. Otherwise, you should give absolute pathnames to the certificate, key, and the CA root cert used to sign that certificate.
= [[#___top|CIPHERS and COMPATIBILITY]] =
By default, we use only the plugins that openssl considers to be "high security". If you need to tweak the available ciphers for some broken client (such as Versamail 3.x), have a look at the available ciphers at [http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS], and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or "HIGH:MEDIUM")
= [[#___top|SSL/TLS protocols versions]] =
By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1, TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
SSLv23:!SSLv2:!SSLv3:!TLSv1
<!-- Generated Sun Jul 30 08:26:42 EDT 2017 using
perldoc -T -ohtml /usr/share/qpsmtpd/plugins/tls |pandoc -f html -t mediawiki |sed 1 i\\n\n\n<span id="_top">[[Qpsmtpd#Plugins]]</span> |sed -e s#</d.>##
-->
----
[[Category:Qpsmtpd|tls]]
