> On Dec 13, 2016, at 11:05 AM, Wietse Venema <wie...@porcupine.org> wrote:
>
>
> In principle, tlsproxy can handle this, but using a proxy would
> only move the persistent connections from SMTP clients to proxy
> processes. Delegation just means that the problem has to be solved
> elsewhere :-(
Yes, that just solves the issue that live TLS connection state
cannot be serialized for migration between processes. So the
connection has to stay in the process that creates it, which
can be handled via (reverse) proxies.
> There would still be the reuse of sessions with different SASL
> credentials, or sessions for different domains with different TLS
> policies that happen to connect to the same MX hosts.
Indeed, once the proxies are in place, the right policy attributes
need to be correctly encoded in the connection cache handle and
the lookup protocol, and re-use needs to avoid all the potential
problems. As we both said, this would be a difficult project to
get right and difficult to review.
--
Viktor.
