Re: tlsmgr high io load because of session cache

Viktor Dukhovni Fri, 14 Nov 2014 09:21:13 -0800

On Fri, Nov 14, 2014 at 05:22:34PM +0100, Matthias Schneider wrote:

> Hello Viktor,
> 
> since my server is more smtp client than smtpd i have to tune the
> smtp_tls_session_cache_database setting, do you recommend to set
> smtp_tls_session_cache_database to empty or using a memcache server for
> performance increase?


Your real problem is that you're sending *a lot* to some servers
that promise session caching, but fail to actually cache sessions.

If that's the vast majority of your client connecions, you can
indeed simply disable TLS session caching.  Otherwise, you
can configure a clone SMTP transport with:

    nocache unix ... smtp
        -o smtp_tls_session_cache_database=

and route mail for certain nexthop domains via that transport.

Do determine which domains support TLS session caching, you can
use posttls-finger (included with 2.11.3 source, make sure to build
with -DUSE_TLS):

    $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache gmail.com
    posttls-finger: looking for session 
[173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585
 in memory cache
    posttls-finger: save session 
[173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585
 to memory cache
    posttls-finger: Untrusted TLS connection established to 
gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    posttls-finger: Reconnecting after 2 seconds
    posttls-finger: looking for session 
[173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585
 in memory cache
    posttls-finger: reloaded session 
[173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585
 from memory cache
    posttls-finger: gmail-smtp-in.l.google.com[173.194.68.26]:25: Reusing old 
session
    posttls-finger: Untrusted TLS connection established to 
gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    posttls-finger: Maximum reconnect count reached.

    $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache postfix.org
    posttls-finger: looking for session 
[168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A
 in memory cache
    posttls-finger: save session 
[168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A
 to memory cache
    posttls-finger: Anonymous TLS connection established to 
mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
    posttls-finger: Server is anonymous
    posttls-finger: Reconnecting after 2 seconds
    posttls-finger: looking for session 
[168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A
 in memory cache
    posttls-finger: reloaded session 
[168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A
 from memory cache
    posttls-finger: mail.cloud9.net[168.100.1.7]:25: Reusing old session
    posttls-finger: Anonymous TLS connection established to 
mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
    posttls-finger: Maximum reconnect count reached.

So gmail.com and postfix.org offer and actually reuses sessions,  On the
other hand, storing hotmail, AOL or Yahoo sessions is just a waste
of I/O, since they are rarely if ever reusable.

    $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache hotmail.com
    posttls-finger: looking for session 
[207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934
 in memory cache
    posttls-finger: save session 
[207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934
 to memory cache
    posttls-finger: Untrusted TLS connection established to 
mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 
(256/256 bits)
    posttls-finger: Reconnecting after 2 seconds
    posttls-finger: looking for session 
[207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E
 in memory cache
    posttls-finger: save session 
[207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E
 to memory cache
    posttls-finger: Untrusted TLS connection established to 
mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 
(256/256 bits)
    posttls-finger: Maximum reconnect count reached.

    $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache aol.com
    posttls-finger: looking for session 
[64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0
 in memory cache
    posttls-finger: save session 
[64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0
 to memory cache
    posttls-finger: Anonymous TLS connection established to 
mailin-03.mx.aol.com[64.12.91.196]:25: TLSv1 with cipher ADH-AES256-SHA 
(256/256 bits)
    posttls-finger: Server is anonymous
    posttls-finger: Reconnecting after 2 seconds
    posttls-finger: looking for session 
[64.12.91.196]:25&8B1DE87019CFE68E0285ED2F0C20C7C6BE314DDC39B043FC6ADD3D96B5A5A9FA
 in memory cache
    posttls-finger: save session 
[64.12.91.196]:25&8B1DE87019CFE68E0285ED2F0C20C7C6BE314DDC39B043FC6ADD3D96B5A5A9FA
 to memory cache
    posttls-finger: Anonymous TLS connection established to 
mailin-03.mx.aol.com[64.12.91.196]:25: TLSv1 with cipher ADH-AES256-SHA 
(256/256 bits)
    posttls-finger: Maximum reconnect count reached.

    $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache yahoo.com
    posttls-finger: looking for session 
[98.136.217.203]:25&A53B68A7BDE12105B8A974681A2BE9A8A2F4A1530E5B7D4413CD919A848327D2
 in memory cache
    posttls-finger: save session 
[98.136.217.203]:25&A53B68A7BDE12105B8A974681A2BE9A8A2F4A1530E5B7D4413CD919A848327D2
 to memory cache
    posttls-finger: Untrusted TLS connection established to 
mta7.am0.yahoodns.net[98.136.217.203]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    posttls-finger: Reconnecting after 2 seconds
    posttls-finger: looking for session 
[98.136.217.203]:25&2DF2C714B51AFEFD66564D31C2E2C5A06420388866B4809A03F1CF6EB4642FBA
 in memory cache
    posttls-finger: save session 
[98.136.217.203]:25&2DF2C714B51AFEFD66564D31C2E2C5A06420388866B4809A03F1CF6EB4642FBA
 to memory cache
    posttls-finger: Untrusted TLS connection established to 
mta7.am0.yahoodns.net[98.136.217.203]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    posttls-finger: Maximum reconnect count reached.

Large sites are only likely to have a working session cache if they
support session tickets.  Google wrote the RFC on TLS session
tickets.  Not surprisingly, they have a working implementation.

The polite thing to do is to leave caching enabled by default (works
with destinations that do it right).  And disable it just for the
few largest that do it wrong (offer sessions but don't generally
resume them).  This requires a transport table entry for each such
"disabled" domain and a master.cf entry as above.

-- 
        Viktor.

Re: tlsmgr high io load because of session cache

Reply via email to