diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2015-02-07 10:45:20 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2015-02-07 10:45:20 +0000 |
| commit | 5a14165d5c63df284344511e33559cef239f6242 (patch) | |
| tree | fc56d829c67db37739ddaa8d33eab64da2e3bdac /libexec/spamd/spamd.8 | |
| parent | f0597a31a0e019728c416731216dda32a52356e9 (diff) | |
add STARTTLS support, using the shiny libtls.
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob
Diffstat (limited to 'libexec/spamd/spamd.8')
| -rw-r--r-- | libexec/spamd/spamd.8 | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/libexec/spamd/spamd.8 b/libexec/spamd/spamd.8 index 9ff89f64e09..c811eb454ff 100644 --- a/libexec/spamd/spamd.8 +++ b/libexec/spamd/spamd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: spamd.8,v 1.123 2014/11/22 18:15:41 deraadt Exp $ +.\" $OpenBSD: spamd.8,v 1.124 2015/02/07 10:45:19 henning Exp $ .\" .\" Copyright (c) 2002 Theo de Raadt. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 22 2014 $ +.Dd $Mdocdate: February 7 2015 $ .Dt SPAMD 8 .Os .Sh NAME @@ -33,12 +33,14 @@ .Bk -words .Op Fl 45bdv .Op Fl B Ar maxblack +.Op Fl C Ar file .Op Fl c Ar maxcon .Oo .Fl G .Ar passtime : Ns Ar greyexp : Ns Ar whiteexp .Oc .Op Fl h Ar hostname +.Op Fl K Ar file .Op Fl l Ar address .Op Fl M Ar address .Op Fl n Ar name @@ -130,6 +132,9 @@ When this value is exceeded new blacklisted connections will not be stuttered at. .It Fl b Run in blacklist-only mode. +.It Fl C Ar file +Load the certificate for TLS from the given +.Ar file . .It Fl c Ar maxcon The maximum number of concurrent connections to allow. .Ar maxcon @@ -156,6 +161,9 @@ and to 864 (hours, approximately 36 days). .It Fl h Ar hostname The hostname that is reported in the SMTP banner. +.It Fl K Ar file +Load the private key for TLS from the given +.Ar file . .It Fl l Ar address Specify the local address to which .Nm |