Viktor Dukhovni:
>
>
> > On Mar 20, 2018, at 11:34 PM, Wietse Venema <wie...@porcupine.org> wrote:
> >
> > 3) duplicate some TLSA logic in the tlsproxy daemon, if it can't
> > be factored out into a reusable library.
>
> It is probably time to refactor the original Postfix 2.11 DANE internals
> to look a lot more like the new DANE API in OpenSSL 1.1.0, which should
> serialize a bit more easily.
>
> One complication is that we often have more than one smtp(8) delivery
> agent in master.cf, and different delivery agent instances may have
> different settings for smtp_tls_CAfile and smtp_tls_CApath, different
> cipher requirements, .... And yet I don't think we'd want a separate
> per-agent-instance proxy.
I think that this (sharing the same tlsproxy endpoint with connections
that have different TLS profiles) is an optimization that can be added
later.
The implementation is obvious: store one connection under multiple
connection cache lookup keys, where each lookup key encodes some
set of TLS properties.
Right now, the SMTP connetion cache already stores one connection
under multiple keys: one for destination, and one for MX host.
Wietse
