Re: tlsmgr high io load because of session cache

Fri, 14 Nov 2014 08:24:06 -0800 

On Fri, Nov 14, 2014 at 10:10:52AM -0500, Wietse Venema wrote:


Matthias Schneider:

Hello,

I had a very high I/O load on process tlsmgr because the smtp_scache and
smtpd_scache files are written to often (smtp_scache.db ~70mb) .

data_directory = /var/lib/postfix
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

moving /var/lib/postfix to a tmpfs filesystem solved my problem for now,
but i am looking for a better solution.
I noticed that postfix also supports memcache as lookup table
(http://www.postfix.org/DATABASE_README.html)
is this also supported for smtp_tls_session_cache_database ? Can anyone
show me a config example?

memcache should work just fine. Specify memcache:/configfile instead
of btree:/pathname. The contents of the configfile are documented
in memcache_table(5). There is no need to change the default ttl
of 3600 seconds.

In main.cf, set smtpd_tls_session_cache_timeout=0 and
smtp_tls_session_cache_timeout=0. Expiration is done in the memcache
server.

IMPORTANT NOTE: Setting the timeout to zero, disables session
caching in the SMTP server.  Short lifetimes also bound the session
validity at the SSL library layer, this is NOT just a database
timeout).

1.  Just disable the disk based SMTP server session cache,

        # Only issue session tickets, let the client do the
        # caching
        #
        smtpd_tls_session_cache_database =

     This requires Postfix >= 2.10 and OpenSSL >= 1.0.0.  You
     might find that entirely solves the problem.

2.  You can reduce the session cache lifetime on the client, which
     should reduce the file size.

     smtpd_tls_session_cache_

3.  DO NOT use TCP to offload the SMTP session cache to remote
     memcache servers.  The session cache contains sensitive session
     master keys that would enable an attacker to decrypt your TLSs
     traffic.  When have some time, I'll add code to tlsmgr(8) to
     encrypt cache entries before storing them into the database
     and to decrypt them when they are read back.  Using the same
     key rollover code as for SMTP server session ticket keys.




Hello Viktor,
since my server is more smtp client than smtpd i have to tune the smtp_tls_session_cache_database setting, do you recommend to set smtp_tls_session_cache_database to empty or using a memcache server for performance increase? 

I am running the latest postfix 2.11.3 version and openssl >1.0.1

I'll use Unix socket or ::1 for security.

Thank you!
Matthias

Reply via email to