.TH tlswrapper\-smtp 1 .SH NAME tlswrapper\-smtp \- TLS encryption wrapper \- smtp helper .SH SYNOPSIS .B tlswrapper\-smtp [ options ] \fIprog\fR .SH DESCRIPTION .PP The \fBtlswrapper\-smtp\fR adds STARTTLS support to old inetd-style SMTP servers which doesn't support STARTTLS naturally. Is executed as follows: .PP Internet <\-\-> systemd.socket/inetd/tcpserver/... <\-\-> \fBtlswrapper\fR <\-\-> \fBtlswrapper\-smtp\fR <\-\-> smtpprogram .PP .SH OPTIONS .TP .B \-q Quiet mode. No error messages. .TP .B \-v Enable verbose mode. Multiple \-v options increase the verbosity. The maximum is 3. .TP .B \-t \fIseconds\fR Set the SMTP session timeout to seconds \fIseconds\fR. (default 600). .TP .B \-T \fIseconds\fR Set the connect/read/write timeout to seconds \fIseconds\fR. (default 15). .TP .B \-u \fIuser\fR Run program \fIprog\fR under a specified \fIuser\fR's uid and gid .TP .B \-g \fIhost:port\fR Enable greylist support (postgrey protocol) and use server running on \fIhost:port\fR . .TP .B \-c Handle communication to greylist server in fail-closed mode. If a greylist lookup fails temporarily, \fBtlswrapper-smtp\fR exits with status 111. .TP .B \-C Handle communication to greylist server in fail-open mode. If a greylist lookup fails temporarily, assume that the address is not greylisted (default). .TP .B \-J \fIjaildir\fR Chroot into a specified \fIjaildir\fR (default: /var/lib/tlswraper/empty). .TP .B \-j \fIjailuser\fR Run under a specified \fIjailuser\fR's uid and gid. If unset run under random uid and gid. .TP .I prog program .SH SECURITY .B JAIL \- Privilege separation, filesystem isolation, limits .PP The \fBtlswrapper\-smtp\fR similarly to \fBtlswrapper\fR processes runs under dedicated non\-zero uid to prohibit kill, ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks. .PP .SH EXAMPLES .PP run QMAIL qmail-smtpd on port 25 with STARTTLS enabled (without patching QMAIL): .RS 4 .nf exec softlimit -m 64000000 -f 100000000 \\ tcpserver \-HRDl0 0 25 \\ tlswrapper \-v \-n \-f /etc/ssl/cert.pem \\ tlswrapper-smtp \-v \-u qmaild \\ qmail-smtpd .fi .RE .PP .SH SEE ALSO .BR tlswrapper (1)