A. Schulze:
> Hello,
>
> I like to ask about a documented limitation
> (http://www.postfix.org/CONNECTION_CACHE_README.html#limitations)
>
> "For this reason, the Postfix smtp(8) client always closes the
> connection after completing an attempt to deliver mail over TLS."
Indeed. Postfix can migrate the TCP connection from one process to
another, but the TLS library does not support migration of live TLS
state. It supports reuse on new connections only.
Possible solutions would be:
- Don't worry about it. Postfix connection caching keeps TCP
connections open for only a few seconds, whereas TLS session tickets
have much larger lifetimes. Unless your use case is very specialized,
you would not be reusing TCP connections often anyway.
- Implement inter-process migration of live TLS state in the TLS
library. This is unlikely because the use case is specific to MTAs
that have a multi-process implementation.
- For each destination, use dedicated SMTP clients that handle all
TLS sessions with that destination (no inter-process migration),
and cache TCP+TLS state in those processes. Unfortunately, that
does not scale to thousands of destinations.
- Use a single-process implementation for TLS, and cache TCP+TLS
state in that process. That would be a departure from Postfix's
multi-process model, but we already have this for non-whitelisted
clients handled by postscreen+tlsproxy. It would make Postfix more
fragile.
> I'm concerned becaus I see increasing traffic delivered via TLS.
> It is true that now /every single message/ require TCP connect,
> TLS Handshake, message transmission and TCP close? So SMTP Session
> caching don't happen anymore?
TCP handshake, TLS session ticket reuse, TLS shutdown, TCP close.
The Postfix SMTP client keeps (plaintext) TCP connections open for
only a few seconds, so yould not be reusing TCP connections often
unless you have a very specialized use case. With TLS, the session
tickets give more benefit because they have longer lifetimes.
Wietse
