On Wed, Jan 22, 2020 at 01:21:08AM +0100, Maeldron T. via Exim-users wrote:
> I’m not sending spam, hence the emails are personalized. Even more, they
> are confidential. Unfortunately, the only thing that helped was turning off
> the SSL on the internal (sending) server. I can’t keep it like that. Or,
> maybe I can, if I make a VPN or SSH tunnel connection between the internal
> server and the smart host. The messages will sill be sent one by one, but
> at least the SSL connection overhead won’t be there while it will be secure.
[ I hope it is not out of line to mention a related Postfix capability
on this list when a user appears to be looking for something to meet
a need that does to appear to be directly supported by Exim, apologies
otherwise... ]
FWIW, Postfix 3.4 can perform multiple deliveries over multiple parallel
TLS connections, without deferring mail to be retried later. You could
deploy a Postfix server between your Exim server and the destination, or
deploy a simple dedicated Postfix server between the application and the
smarthost.
http://www.postfix.org/announcements/postfix-3.4.0.html
Postfix SMTP client support for multiple deliveries over the same
TLS-encrypted connection. This is primarily to improve mail delivery
performance for destinations that throttle clients when they don't
combine deliveries.
https://github.com/vdukhovni/postfix/blob/postfix-3.4/postfix/RELEASE_NOTES
Major changes - tls connection pooling
--------------------------------------
[Feature 20180617] Postfix SMTP client support for multiple deliveries
per TLS-encrypted connection. This is primarily to improve mail
delivery performance for destinations that throttle clients when
they don't combine deliveries.
This feature is enabled with "smtp_tls_connection_reuse=yes" in
main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
It supports all Postfix TLS security levels including dane and
dane-only.
The implementation of TLS connection reuse relies on the same
scache(8) service as used for delivering plaintext SMTP mail, the
same tlsproxy(8) daemon as used by the postscreen(8) service for
inbound connections, and relies on the same hints from the qmgr(8)
daemon. It reuses the configuration parameters described in
CONNECTION_CACHE_README.
The Postfix SMTP client now logs whether an SMTP-over-TLS connection
is newly established ("TLS connection established") or whether the
connection is reused ("TLS connection reused").
The following illustrates how TLS connections are reused:
Initial plaintext SMTP handshake:
smtp(8) -> remote SMTP server
Reused SMTP/TLS connection, or new SMTP/TLS connection:
smtp(8) -> tlsproxy(8) -> remote SMTP server
Cached SMTP/TLS connection:
scache(8) -> tlsproxy(8) -> remote SMTP server
--
Viktor.
