[PATCH] qregex-starttls-2way-auth-20060423-mm

author: manuel <manuel@mausz.at> 2013-02-04 02:32:40 +0100
committer: manuel <manuel@mausz.at> 2013-02-04 02:32:40 +0100
commit: 8514473287c9594137c6fbc39f5619672ebc2430 (patch)
tree: a5b965d8c7b60dee396bf8ebe25dd3eddfaa6753 /qmail-smtpd.8
parent: 35ddb916045abafaa4ae2c778b9383059fa06726 (diff)
download: qmail-8514473287c9594137c6fbc39f5619672ebc2430.tar.gz
qmail-8514473287c9594137c6fbc39f5619672ebc2430.tar.bz2
qmail-8514473287c9594137c6fbc39f5619672ebc2430.zip
1 files changed, 131 insertions, 2 deletions
diff --git a/qmail-smtpd.8 b/qmail-smtpd.8
index c4640b8..ce0dc02 100644
--- a/qmail-smtpd.8
+++ b/qmail-smtpd.8
@@ -14,6 +14,15 @@ must be supplied several environment variables;
 see
 .BR tcp-environ(5) .
+If the environment variable
+.B SMTPS
+is non-empty,
+.B qmail-smtpd
+starts a TLS session (to support the deprecated SMTPS protocol,
+normally on port 465). Otherwise,
+.B qmail-smtpd
+offers the STARTTLS extension to ESMTP.
 .B qmail-smtpd
 is responsible for counting hops.
 It rejects any message with 100 or more 
@@ -23,7 +32,30 @@ or
 header fields.
 .B qmail-smtpd
-supports ESMTP, including the 8BITMIME and PIPELINING options.
+supports ESMTP, including the 8BITMIME, DATA, PIPELINING, SIZE, and AUTH options.
+.B qmail-smtpd
+includes a \'MAIL FROM:\' parameter parser and obeys \'Auth\' and \'Size\' advertisements.
+.B qmail-smtpd
+can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes
+.IR checkprogram ,
+which reads on file descriptor 3 the username, a 0 byte, the password
+or CRAM-MD5 digest/response derived from the SMTP client,
+another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type),
+and a final 0 byte.
+.I checkprogram
+invokes
+.I subprogram
+upon successful authentication, which should in turn return 0 to
+.BR qmail-smtpd ,
+effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO
+(any supplied value replaced with the authenticated username).
+.B qmail-smtpd
+will reject the authentication attempt if it receives a nonzero return
+value from
+.I checkprogram
+or
+.IR subprogram .
 .SH TRANSPARENCY
 .B qmail-smtpd
 converts the SMTP newline convention into the UNIX newline convention
@@ -37,11 +69,26 @@ accepts messages that contain long lines or non-ASCII characters,
 even though such messages violate the SMTP protocol.
 .SH "CONTROL FILES"
 .TP 5
+.I badhelo
+Unacceptable HELO/EHLO host names.
+.B qmail-smtpd
+will reject every recipient address for a message if
+the host name is listed in, 
+or matches a POSIX regular expression pattern listed in,
+.IR badhelo .
+If the 
+.B NOBADHELO 
+environment variable is set, then the contents of 
+.IR badhelo 
+will be ignored.
+For more information, please have a look at doc/README.qregex.
+.TP 5
 .I badmailfrom
 Unacceptable envelope sender addresses.
 .B qmail-smtpd
 will reject every recipient address for a message
-if the envelope sender address is listed in
+if the envelope sender address is listed in, or matches a POSIX regular expression
+pattern listed in,
 .IR badmailfrom .
 A line in
 .I badmailfrom
@@ -49,6 +96,45 @@ may be of the form
 .BR @\fIhost ,
 meaning every address at
 .IR host .
+For more information, please have a look at doc/README.qregex.
+.TP 5
+.I badmailfromnorelay
+Functions the same as the
+.IR badmailfrom
+control file but is read only if the
+.B RELAYCLIENT
+environment variable is not set.
+For more information, please have a look at doc/README.qregex.
+.TP 5
+.I badmailto
+Unacceptable envelope recipient addresses.
+.B qmail-smtpd
+will reject every recipient address for a message if the recipient address
+is listed in,
+or matches a POSIX regular expression pattern listed in,
+.IR badmailto .
+For more information, please have a look at doc/README.qregex.
+.TP 5
+.I badmailtonorelay
+Functions the same as the
+.IR badmailto
+control file but is read only if the
+.B RELAYCLIENT
+environment variable is not set.
+For more information, please have a look at doc/README.qregex.
+.TP 5
+.I clientca.pem
+A list of Certifying Authority (CA) certificates that are used to verify
+the client-presented certificates during a TLS-encrypted session.
+.TP 5
+.I clientcrl.pem
+A list of Certificate Revocation Lists (CRLs). If present it
+should contain the CRLs of the CAs in 
+.I clientca.pem 
+and client certs will be checked for revocation.
 .TP 5
 .I databytes
 Maximum number of bytes allowed in a message,
@@ -76,6 +162,18 @@ If the environment variable
 .B DATABYTES
 is set, it overrides
 .IR databytes .
+.TP 5
+.I dh1024.pem
+If these 1024 bit DH parameters are provided,
+.B qmail-smtpd
+will use them for TLS sessions instead of generating one on-the-fly 
+(which is very timeconsuming).
+.TP 5
+.I dh512.pem
+512 bit counterpart for 
+.B dh1024.pem. 
 .TP 5
 .I localiphost
 Replacement host name for local IP addresses.
@@ -151,6 +249,19 @@ may include wildcards:
 Envelope recipient addresses without @ signs are
 always allowed through.
+.TP 5
+.I rsa512.pem
+If this 512 bit RSA key is provided,
+.B qmail-smtpd
+will use it for TLS sessions instead of generating one on-the-fly.
+.TP 5
+.I servercert.pem
+SSL certificate to be presented to clients in TLS-encrypted sessions.
+Should contain both the certificate and the private key. Certifying Authority
+(CA) and intermediate certificates can be added at the end of the file.
 .TP 5
 .I smtpgreeting
 SMTP greeting message.
@@ -169,6 +280,24 @@ Number of seconds
 .B qmail-smtpd
 will wait for each new buffer of data from the remote SMTP client.
 Default: 1200.
+.TP 5
+.I tlsclients
+A list of email addresses. When relay rules would reject an incoming message,
+.B qmail-smtpd
+can allow it if the client presents a certificate that can be verified against
+the CA list in
+.I clientca.pem
+and the certificate email address is in
+.IR tlsclients .
+.TP 5
+.I tlsserverciphers
+A set of OpenSSL cipher strings. Multiple ciphers contained in a
+string should be separated by a colon. If the environment variable
+.B TLSCIPHERS
+is set to such a string, it takes precedence.
 .SH "SEE ALSO"
 tcp-env(1),
 tcp-environ(5),
author	manuel <manuel@mausz.at>	2013-02-04 02:32:40 +0100
committer	manuel <manuel@mausz.at>	2013-02-04 02:32:40 +0100
commit	8514473287c9594137c6fbc39f5619672ebc2430 (patch)
tree	a5b965d8c7b60dee396bf8ebe25dd3eddfaa6753 /qmail-smtpd.8
parent	35ddb916045abafaa4ae2c778b9383059fa06726 (diff)
download	qmail-8514473287c9594137c6fbc39f5619672ebc2430.tar.gz qmail-8514473287c9594137c6fbc39f5619672ebc2430.tar.bz2 qmail-8514473287c9594137c6fbc39f5619672ebc2430.zip

diff --git a/qmail-smtpd.8 b/qmail-smtpd.8 index c4640b8..ce0dc02 100644 --- a/qmail-smtpd.8 +++ b/qmail-smtpd.8
@@ -14,6 +14,15 @@ must be supplied several environment variables;
14	see	14	see
15	.BR tcp-environ(5) .	15	.BR tcp-environ(5) .
16		16
		17	If the environment variable
		18	.B SMTPS
		19	is non-empty,
		20	.B qmail-smtpd
		21	starts a TLS session (to support the deprecated SMTPS protocol,
		22	normally on port 465). Otherwise,
		23	.B qmail-smtpd
		24	offers the STARTTLS extension to ESMTP.
		25
17	.B qmail-smtpd	26	.B qmail-smtpd
18	is responsible for counting hops.	27	is responsible for counting hops.
19	It rejects any message with 100 or more	28	It rejects any message with 100 or more
@@ -23,7 +32,30 @@ or
23	header fields.	32	header fields.
24		33
25	.B qmail-smtpd	34	.B qmail-smtpd
26	supports ESMTP, including the 8BITMIME and PIPELINING options.	35	supports ESMTP, including the 8BITMIME, DATA, PIPELINING, SIZE, and AUTH options.
		36	.B qmail-smtpd
		37	includes a \'MAIL FROM:\' parameter parser and obeys \'Auth\' and \'Size\' advertisements.
		38	.B qmail-smtpd
		39	can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes
		40	.IR checkprogram ,
		41	which reads on file descriptor 3 the username, a 0 byte, the password
		42	or CRAM-MD5 digest/response derived from the SMTP client,
		43	another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type),
		44	and a final 0 byte.
		45	.I checkprogram
		46	invokes
		47	.I subprogram
		48	upon successful authentication, which should in turn return 0 to
		49	.BR qmail-smtpd ,
		50	effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO
		51	(any supplied value replaced with the authenticated username).
		52	.B qmail-smtpd
		53	will reject the authentication attempt if it receives a nonzero return
		54	value from
		55	.I checkprogram
		56	or
		57	.IR subprogram .
		58
27	.SH TRANSPARENCY	59	.SH TRANSPARENCY
28	.B qmail-smtpd	60	.B qmail-smtpd
29	converts the SMTP newline convention into the UNIX newline convention	61	converts the SMTP newline convention into the UNIX newline convention
@@ -37,11 +69,26 @@ accepts messages that contain long lines or non-ASCII characters,
37	even though such messages violate the SMTP protocol.	69	even though such messages violate the SMTP protocol.
38	.SH "CONTROL FILES"	70	.SH "CONTROL FILES"
39	.TP 5	71	.TP 5
		72	.I badhelo
		73	Unacceptable HELO/EHLO host names.
		74	.B qmail-smtpd
		75	will reject every recipient address for a message if
		76	the host name is listed in,
		77	or matches a POSIX regular expression pattern listed in,
		78	.IR badhelo .
		79	If the
		80	.B NOBADHELO
		81	environment variable is set, then the contents of
		82	.IR badhelo
		83	will be ignored.
		84	For more information, please have a look at doc/README.qregex.
		85	.TP 5
40	.I badmailfrom	86	.I badmailfrom
41	Unacceptable envelope sender addresses.	87	Unacceptable envelope sender addresses.
42	.B qmail-smtpd	88	.B qmail-smtpd
43	will reject every recipient address for a message	89	will reject every recipient address for a message
44	if the envelope sender address is listed in	90	if the envelope sender address is listed in, or matches a POSIX regular expression
		91	pattern listed in,
45	.IR badmailfrom .	92	.IR badmailfrom .
46	A line in	93	A line in
47	.I badmailfrom	94	.I badmailfrom
@@ -49,6 +96,45 @@ may be of the form
49	.BR @\fIhost ,	96	.BR @\fIhost ,
50	meaning every address at	97	meaning every address at
51	.IR host .	98	.IR host .
		99	For more information, please have a look at doc/README.qregex.
		100	.TP 5
		101	.I badmailfromnorelay
		102	Functions the same as the
		103	.IR badmailfrom
		104	control file but is read only if the
		105	.B RELAYCLIENT
		106	environment variable is not set.
		107	For more information, please have a look at doc/README.qregex.
		108	.TP 5
		109	.I badmailto
		110	Unacceptable envelope recipient addresses.
		111	.B qmail-smtpd
		112	will reject every recipient address for a message if the recipient address
		113	is listed in,
		114	or matches a POSIX regular expression pattern listed in,
		115	.IR badmailto .
		116	For more information, please have a look at doc/README.qregex.
		117	.TP 5
		118	.I badmailtonorelay
		119	Functions the same as the
		120	.IR badmailto
		121	control file but is read only if the
		122	.B RELAYCLIENT
		123	environment variable is not set.
		124	For more information, please have a look at doc/README.qregex.
		125
		126	.TP 5
		127	.I clientca.pem
		128	A list of Certifying Authority (CA) certificates that are used to verify
		129	the client-presented certificates during a TLS-encrypted session.
		130
		131	.TP 5
		132	.I clientcrl.pem
		133	A list of Certificate Revocation Lists (CRLs). If present it
		134	should contain the CRLs of the CAs in
		135	.I clientca.pem
		136	and client certs will be checked for revocation.
		137
52	.TP 5	138	.TP 5
53	.I databytes	139	.I databytes
54	Maximum number of bytes allowed in a message,	140	Maximum number of bytes allowed in a message,
@@ -76,6 +162,18 @@ If the environment variable
76	.B DATABYTES	162	.B DATABYTES
77	is set, it overrides	163	is set, it overrides
78	.IR databytes .	164	.IR databytes .
		165
		166	.TP 5
		167	.I dh1024.pem
		168	If these 1024 bit DH parameters are provided,
		169	.B qmail-smtpd
		170	will use them for TLS sessions instead of generating one on-the-fly
		171	(which is very timeconsuming).
		172	.TP 5
		173	.I dh512.pem
		174	512 bit counterpart for
		175	.B dh1024.pem.
		176
79	.TP 5	177	.TP 5
80	.I localiphost	178	.I localiphost
81	Replacement host name for local IP addresses.	179	Replacement host name for local IP addresses.
@@ -151,6 +249,19 @@ may include wildcards:
151		249
152	Envelope recipient addresses without @ signs are	250	Envelope recipient addresses without @ signs are
153	always allowed through.	251	always allowed through.
		252
		253	.TP 5
		254	.I rsa512.pem
		255	If this 512 bit RSA key is provided,
		256	.B qmail-smtpd
		257	will use it for TLS sessions instead of generating one on-the-fly.
		258
		259	.TP 5
		260	.I servercert.pem
		261	SSL certificate to be presented to clients in TLS-encrypted sessions.
		262	Should contain both the certificate and the private key. Certifying Authority
		263	(CA) and intermediate certificates can be added at the end of the file.
		264
154	.TP 5	265	.TP 5
155	.I smtpgreeting	266	.I smtpgreeting
156	SMTP greeting message.	267	SMTP greeting message.
@@ -169,6 +280,24 @@ Number of seconds
169	.B qmail-smtpd	280	.B qmail-smtpd
170	will wait for each new buffer of data from the remote SMTP client.	281	will wait for each new buffer of data from the remote SMTP client.
171	Default: 1200.	282	Default: 1200.
		283
		284	.TP 5
		285	.I tlsclients
		286	A list of email addresses. When relay rules would reject an incoming message,
		287	.B qmail-smtpd
		288	can allow it if the client presents a certificate that can be verified against
		289	the CA list in
		290	.I clientca.pem
		291	and the certificate email address is in
		292	.IR tlsclients .
		293
		294	.TP 5
		295	.I tlsserverciphers
		296	A set of OpenSSL cipher strings. Multiple ciphers contained in a
		297	string should be separated by a colon. If the environment variable
		298	.B TLSCIPHERS
		299	is set to such a string, it takes precedence.
		300
172	.SH "SEE ALSO"	301	.SH "SEE ALSO"
173	tcp-env(1),	302	tcp-env(1),
174	tcp-environ(5),	303	tcp-environ(5),