Re: tlsmgr high io load because of session cache

Fri, 14 Nov 2014 07:45:07 -0800 

On Fri, Nov 14, 2014 at 10:10:52AM -0500, Wietse Venema wrote:

> Matthias Schneider:
> > Hello,
> > 
> > I had a very high I/O load on process tlsmgr because the smtp_scache and 
> > smtpd_scache files are written to often (smtp_scache.db ~70mb) .
> > 
> > data_directory = /var/lib/postfix
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > 
> > moving /var/lib/postfix to a tmpfs filesystem solved my problem for now, 
> > but i am looking for a better solution.
> > I noticed that postfix also supports memcache as lookup table 
> > (http://www.postfix.org/DATABASE_README.html)
> > is this also supported for smtp_tls_session_cache_database ? Can anyone 
> > show me a config example?
> 
> memcache should work just fine. Specify memcache:/configfile instead
> of btree:/pathname. The contents of the configfile are documented
> in memcache_table(5). There is no need to change the default ttl
> of 3600 seconds.
> 
> In main.cf, set smtpd_tls_session_cache_timeout=0 and
> smtp_tls_session_cache_timeout=0. Expiration is done in the memcache
> server.

IMPORTANT NOTE: Setting the timeout to zero, disables session
caching in the SMTP server.  Short lifetimes also bound the session
validity at the SSL library layer, this is NOT just a database
timeout).

1.  Just disable the disk based SMTP server session cache,

        # Only issue session tickets, let the client do the
        # caching
        #
        smtpd_tls_session_cache_database =

    This requires Postfix >= 2.10 and OpenSSL >= 1.0.0.  You
    might find that entirely solves the problem.

2.  You can reduce the session cache lifetime on the client, which
    should reduce the file size.

    smtpd_tls_session_cache_

3.  DO NOT use TCP to offload the SMTP session cache to remote
    memcache servers.  The session cache contains sensitive session
    master keys that would enable an attacker to decrypt your TLSs
    traffic.  When have some time, I'll add code to tlsmgr(8) to
    encrypt cache entries before storing them into the database
    and to decrypt them when they are read back.  Using the same
    key rollover code as for SMTP server session ticket keys.

-- 
        Viktor.

Reply via email to