Re: tlsmgr high io load because of session cache

Fri, 14 Nov 2014 10:28:28 -0800 

On Fri, Nov 14, 2014 at 05:58:04PM +0000, Viktor Dukhovni wrote:

> So for now, you'll need to tune by hand for a few large receiving
> domains.  As for hotmail, it seems unlikely that "unsalted" sessions
> would work better, they don't support session tickets:
> 
>     posttls-finger: SSL_connect:before/connect initialization
>     posttls-finger: SSL_connect:SSLv2/v3 write client hello A
>     posttls-finger: SSL_connect:SSLv3 read server hello A
>     posttls-finger: SSL_connect:SSLv3 read server certificate A
>     posttls-finger: SSL_connect:SSLv3 read server key exchange A
>     posttls-finger: SSL_connect:SSLv3 read server done A
>     posttls-finger: SSL_connect:SSLv3 write client key exchange A
>     posttls-finger: SSL_connect:SSLv3 write change cipher spec A
>     posttls-finger: SSL_connect:SSLv3 write finished A
>     posttls-finger: SSL_connect:SSLv3 flush data
>     posttls-finger: SSL_connect:SSLv3 read finished A
> 
> so are unlikely to have a unified cross-server cache.  Compare with:

The situation may be more promising for Yahoo:

    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
    posttls-finger: SSL_connect:SSLv3 read server hello A
    posttls-finger: SSL_connect:SSLv3 read server certificate A
    posttls-finger: SSL_connect:SSLv3 read server key exchange A
    posttls-finger: SSL_connect:SSLv3 read server done A
    posttls-finger: SSL_connect:SSLv3 write client key exchange A
    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
    posttls-finger: SSL_connect:SSLv3 write finished A
    posttls-finger: SSL_connect:SSLv3 flush data
    posttls-finger: SSL_connect:SSLv3 read server session ticket A
    posttls-finger: SSL_connect:SSLv3 read finished A

Here session reuse would perhaps work better without the "salt",
but I don't have command-line code at hand to find out.  (However,
you could test witp smtp_reply_filter):

    http://www.postfix.org/postconf.5.html#smtp_reply_filter

    Suitable PCRE table:

        /^(250-mta)\d+(\.mail\..*\.yahoo\.com[ \t\r\n].*)/ $1-N$2

Bash example:

    $ postmap -q \
        "$(printf "250-mta1377.mail.ne1.yahoo.com\r\n250-PIPELINING\r\n250-SIZE 
41943040\r\n250 8BITMIME\r\n")" \
        pcre:<(echo '/^(250-mta)\d+(\.mail\..*\.yahoo\.com[ \t\r\n].*)/ $1-N$2')
    250-mta-N.mail.ne1.yahoo.com
    250-PIPELINING
    250-SIZE 41943040
    250 8BITMIME

That would lead to a lot fewer cache entries for Yahoo, whether
they end up re-used or not.  One per data-centre, rather than one
per MTA.

A similar mapping for the hotmail MTA names, could also reduce I/O
load by re-cycling a smaller number of cache entries, rather than
constantly writing new ones.

-- 
        Viktor.

Reply via email to