NAME

tlsrpt-reportd - A daemon to create and deliver TLSRPT reports according to RFC 8460.

SYNOPSIS

tlsrpt-reportd [OPTION]

DESCRIPTION

The tlsrpt-reportd is the final component in the TLSRPT framework. A MTA (Mail Transfer Agent) reports successful delivery or encountered errors via libtlsrpt to a tlsrpt-collectd which collects and pre-aggregates the data. The tlsrpt-fetcher associated with a tlsrpt-collectd transfers the pre-aggregated data to the tlsrpt-reportd. The tlsrpt-reportd can retrieve data from multiple tlsrpt-fetchers and aggregates the pre-aggregated data into the final reports. Those reports are gzip-compressed and sent out to the destinations as specified in the TLSRPT DNS records of the domains that have received emails from the MTA.

A simple data flow diagram visualizing the interaction of the components looks like this: (MTA) v libtlsrt v tlsrpt-collectd v (storage) v tlsrpt-fetcher v tlsrpt-reportd v (report destination)

OPTIONS

Report creation and configuration options

--contact_info=addr

Use addr as contact info in the TLSRPT report according to RFC 8460.

--organization_name=descr

Use descr as name of the organization sending the TLSRPT report according to RFC 8460.

--sender_address=email

Use email as "From:" address when sending reports via email.

--fetchers=list

List of fetcher commands to retrieve data. Multiple fetcher commands can be given separated by commas.

--dbname=path

Use SQLite data base at location path.

--compression_level=n

Use compression level n to gzip-compress the TLSRPT reports.

--keep_days=n

Keep old data for n days before deleting from the database.

Report delivery options

--spread_out_delivery=sec

Spread out the delivery of TLSRPT reports over sec seconds. This setting should be set to several hours according to RFC8460, section 4.1. For example, set spread_out_delivery to 14400 to spread out the delivery of the reports over four hours.

--sendmail_script=path

Use the script path to send a TLSRPT report via email.

--sendmail_timeout=sec

Set timeout of sec seconds for email requests to deliver reports.

--http_script=path

Use the script path to upload a TLSRPT report via HTTP(S).

--http_timeout=sec

Set timeout of sec seconds for HTTP POST requests to deliver reports.

--max_retries_delivery=n

Give up after n failed attempts to deliver a report to its destination.

--min_wait_delivery=sec

Minimum time to wait before retrying a failed report delivery attempt.

--max_wait_delivery=sec

Maximum time to wait before retrying a failed report delivery attempt.

Options controlling the interaction with one or more tlsrpt-collectd

--max_collectd_timediff=sec

Log a warning if the collectd clock reported by its fetcher differs by more than sec seconds from the reportd´s clock. The reportd starts querying the fetchers sec seconds after the UTC day change, so a clock difference bigger than sec seconds indicates the collectd might not yet been ready to provide the complete data for the previous day.

--max_collectd_timeout=sec

Wait at most sec seconds for a fetcher to finish a request for data from its collectd.

--max_retries_domaindetails=n

Give up after n failed attempts to retrieve report details for a domain.

--min_wait_domaindetails=sec

Minimum time to wait before retry after a failed attempt to get the report details for a domain from a tlsrpt-collectd.

--max_wait_domaindetails=sec

Maximum time to wait before retry after a failed attempt to get the report details for a domain from a tlsrpt-collectd.

--max_retries_domainlist=n

Give up after n failed attempts to retrieve the list of domains from a tlsrpt-collectd.

--min_wait_domainlist=sec

Minimum time to wait before retry after a failed attempt to get the list of domains from a tlsrpt-collectd.

--max_wait_domainlist=sec

Maximum time to wait before retry after a failed attempt to get the list of domains from a tlsrpt-collectd.

--interval_main_loop=sec

Wake up an idle main loop even if there are no tasks after sec seconds of inactivity.

Debug and development options

--debug_db=n

Control database debugging: 0 turns database debugging off, 1 activates logging of database statements.

--debug_send_file_dest=dir

Save reports into directory dir in addition to their delivery via email or HTTP POST requests.

--debug_send_mail_dest=path

Override the email destination to send out reports via email. Please note: With this option set, reports to email destinations will not be sent ot the requested destination from the TLSRPT DNS record but to this replacement address instead! This option must not be used on production systems!

--debug_send_http_dest=path

Override the HTTP POST destination to send out reports via HTTP POST requests. Please note: With this option set, reports to HTTP POST destinations will not be sent ot the requested destination from the TLSRPT DNS record but to this replacement URL instead! This option must not be used on production systems!

General options

--config_file=filename

Read options from the section tlsrpt_reportd of the INI-style configuration file filename. Environment variables override setings from the configurstion file and command line options override both.

--help

Print a help message describing all options.

--pidfilename=path

Specifies the file that contains the process ID of the tlsrpt-reportd daemon. An empty string will cause no PID file to be created.

Logging options

--logfilename=filename

Use filename as log file.

--log_level=level

Set log level to level, allowed values: debug, info, warn, error.

ENVIRONMENT

All config options except --help and --config_file can also be set via environment variables. The environment variable for a configuration option is the prefix TLSRPT_REPORTD_ followed by the configuration setting name in all caps. For example the --log_level option can instead by configured using the TLSRPT_REPORTD_LOG_LEVEL environment variable.

EXAMPLES

Retrieve data from a local fetcher with standard configuration and from another local fetcher with a different storage:

tlsrpt-reportd --fetchers "tlsrpt-fetcher, tlsrpt-fetcher --storage sqlite:///tmp/test.sqlite"

Retrieve data from a local fetcher and a remote fetcher:

tlsrpt-reportd --fetchers "tlsrpt-fetcher, ssh user@remote tlsrpt-fetcher"

EXIT STATUS

Success.

Failure.

AUTHOR

Boris Lohner