A. Schulze: > Hello, > > I like to ask about a documented limitation > (http://www.postfix.org/CONNECTION_CACHE_README.html#limitations) > > "For this reason, the Postfix smtp(8) client always closes the > connection after completing an attempt to deliver mail over TLS."
Indeed. Postfix can migrate the TCP connection from one process to another, but the TLS library does not support migration of live TLS state. It supports reuse on new connections only. Possible solutions would be: - Don't worry about it. Postfix connection caching keeps TCP connections open for only a few seconds, whereas TLS session tickets have much larger lifetimes. Unless your use case is very specialized, you would not be reusing TCP connections often anyway. - Implement inter-process migration of live TLS state in the TLS library. This is unlikely because the use case is specific to MTAs that have a multi-process implementation. - For each destination, use dedicated SMTP clients that handle all TLS sessions with that destination (no inter-process migration), and cache TCP+TLS state in those processes. Unfortunately, that does not scale to thousands of destinations. - Use a single-process implementation for TLS, and cache TCP+TLS state in that process. That would be a departure from Postfix's multi-process model, but we already have this for non-whitelisted clients handled by postscreen+tlsproxy. It would make Postfix more fragile. > I'm concerned becaus I see increasing traffic delivered via TLS. > It is true that now /every single message/ require TCP connect, > TLS Handshake, message transmission and TCP close? So SMTP Session > caching don't happen anymore? TCP handshake, TLS session ticket reuse, TLS shutdown, TCP close. The Postfix SMTP client keeps (plaintext) TCP connections open for only a few seconds, so yould not be reusing TCP connections often unless you have a very specialized use case. With TLS, the session tickets give more benefit because they have longer lifetimes. Wietse