progress with TLS connection reuse

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

progress with TLS connection reuse

Wietse Venema
Postfix TLS connection reuse will improve delivery performance,
especially for sites that punish clients that send one message per
connection. This feature is evolving in a 'non-production' Postfix
release, currently postfix-3.4-20180603-nonprod.

Instead of changing how Postfix schedules deliveries, this builds
on the Postfix connection caching infrastructure that already exists
for plaintext connections. The idea then is to also use that cache
for TLS connections.

Of course there must be a clear distinction between connections
with different TLS properties, so that a less secure connection
will not be reused when a more secure connection is needed.

The high-level architecture looks like this:

    Initial SMTP handshake:

        smtp(8) -> remote SMTP server

    Reused TLS session, or new TLS session:

        smtp(8) -> tlsproxy(8) -> remote SMTP server

    Cached TLS session:

        scache(8) -> tlsproxy(8) -> remote SMTP server

The implementation will support all security levels including DANE.
The code needs some more polishing and testing. I expect that it
will become part of the regular release this summer.

        Wietse