Re: [exim] Smarthost + queue worker keep alive the connectio…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] Smarthost + queue worker keep alive the connection
On Wed, Jan 22, 2020 at 01:21:08AM +0100, Maeldron T. via Exim-users wrote:

> I’m not sending spam, hence the emails are personalized. Even more, they
> are confidential. Unfortunately, the only thing that helped was turning off
> the SSL on the internal (sending) server. I can’t keep it like that. Or,
> maybe I can, if I make a VPN or SSH tunnel connection between the internal
> server and the smart host. The messages will sill be sent one by one, but
> at least the SSL connection overhead won’t be there while it will be secure.


[ I hope it is not out of line to mention a related Postfix capability
on this list when a user appears to be looking for something to meet
a need that does to appear to be directly supported by Exim, apologies
otherwise... ]

FWIW, Postfix 3.4 can perform multiple deliveries over multiple parallel
TLS connections, without deferring mail to be retried later. You could
deploy a Postfix server between your Exim server and the destination, or
deploy a simple dedicated Postfix server between the application and the
smarthost.

    http://www.postfix.org/announcements/postfix-3.4.0.html


    Postfix SMTP client support for multiple deliveries over the same
    TLS-encrypted connection. This is primarily to improve mail delivery
    performance for destinations that throttle clients when they don't
    combine deliveries. 


    https://github.com/vdukhovni/postfix/blob/postfix-3.4/postfix/RELEASE_NOTES


    Major changes - tls connection pooling
    --------------------------------------


    [Feature 20180617] Postfix SMTP client support for multiple deliveries
    per TLS-encrypted connection. This is primarily to improve mail
    delivery performance for destinations that throttle clients when
    they don't combine deliveries.


    This feature is enabled with "smtp_tls_connection_reuse=yes" in
    main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
    It supports all Postfix TLS security levels including dane and
    dane-only.


    The implementation of TLS connection reuse relies on the same
    scache(8) service as used for delivering plaintext SMTP mail, the
    same tlsproxy(8) daemon as used by the postscreen(8) service for
    inbound connections, and relies on the same hints from the qmgr(8)
    daemon. It reuses the configuration parameters described in
    CONNECTION_CACHE_README.


    The Postfix SMTP client now logs whether an SMTP-over-TLS connection
    is newly established ("TLS connection established") or whether the
    connection is reused ("TLS connection reused").


    The following illustrates how TLS connections are reused:


        Initial plaintext SMTP handshake:
          smtp(8) -> remote SMTP server


        Reused SMTP/TLS connection, or new SMTP/TLS connection:
          smtp(8) -> tlsproxy(8) -> remote SMTP server


        Cached SMTP/TLS connection:
          scache(8) -> tlsproxy(8) -> remote SMTP server


-- 
    Viktor.