Provided by: tlswrapper_0~20250201-1_amd64 
NAME
tlswrapper-smtp - TLS encryption wrapper - smtp helper
SYNOPSIS
tlswrapper-smtp [ options ] prog
DESCRIPTION
The tlswrapper-smtp adds STARTTLS support to old inetd-style SMTP servers which doesn't support STARTTLS
naturally. Is executed as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> tlswrapper-smtp <--> smtpprogram
OPTIONS
-q Quiet mode. No error messages.
-v Enable verbose mode. Multiple -v options increase the verbosity. The maximum is 3.
-t seconds
Set the SMTP session timeout to seconds seconds. (default 600).
-T seconds
Set the connect/read/write timeout to seconds seconds. (default 15).
-u user
Run program prog under a specified user's uid and gid
-g host:port
Enable greylist support (postgrey protocol) and use server running on host:port .
-c Handle communication to greylist server in fail-closed mode. If a greylist lookup fails
temporarily, tlswrapper-smtp exits with status 111.
-C Handle communication to greylist server in fail-open mode. If a greylist lookup fails temporarily,
assume that the address is not greylisted (default).
-J jaildir
Chroot into a specified jaildir (default: /var/lib/tlswraper/empty).
-j jailuser
Run under a specified jailuser's uid and gid. If unset run under random uid and gid.
prog program
SECURITY
JAIL - Privilege separation, filesystem isolation, limits
The tlswrapper-smtp similarly to tlswrapper processes runs under dedicated non-zero uid to prohibit kill,
ptrace, etc. Is chrooted into an empty, unwritable directory to prohibit filesystem access. Sets
ulimits to prohibit new files, sockets, etc. Sets ulimits to prohibit forks.
EXAMPLES
run QMAIL qmail-smtpd on port 25 with STARTTLS enabled (without patching QMAIL):
exec softlimit -m 64000000 -f 100000000 \
tcpserver -HRDl0 0 25 \
tlswrapper -v -n -f /etc/ssl/cert.pem \
tlswrapper-smtp -v -u qmaild \
qmail-smtpd
SEE ALSO
tlswrapper(1)
tlswrapper-smtp(1)