On 08/01/2017 03:32 PM, Viktor Dukhovni wrote:
On Tue, Aug 01, 2017 at 02:41:52PM -0700, mark burdett wrote:Hi, I was curious if there are any plans for postfix to eventually support SMTP connection reuse with STARTTLS.This requires a complex outbound TLS proxy to cache the connections in process, and handle peer authentication. Some of the work has already been done on the inbound side to enable TLS in postscreen, but much work remains, as outbound TLS is much more complex. This is not likely to happen in the near term.
Thanks for the explanation! It does sound tricky, and would need plenty of regression testing.
After enabling TLS, postfix delivery was much slower, and packet capture revealed the connection reset after each message was delivered. Postfix documentation confirms there is no connection reuse with TLS. Unfortunately this dramatically slows down delivery to the relay because of the RTT overhead of new TCP connections.Increased latency can be amortized with increased concurrency. Just open more connections and the overall throughput rate will remain the same. Throughput = Concurrency / Latency
That's true, as a work-around. Unfortunately we're talking about not just opening a new TCP connection but also reestablishing TLS, which means yet more RTT and CPU. So the increased concurrency will be significant and will require upping limits on the client and server side. I'm guessing most folks in this scenario will prefer to code a lightweight SMTP worker that can reuse connections, running at a lower concurrency.
--mark B.
signature.asc
Description: OpenPGP digital signature
