Search:  
Gentoo Wiki

Postfix_TLS/Session_Cache

Contents

Introduction

Negotiating a TLS / SSL session can be an expensive process. Under its default configuration, Postfix will only store TLS session information for the lifetime of the smtpd process - basically from the time the client connects, logs in, sends zero or more emails, and disconnects.

The expense of this negotiation can be reduced by caching TLS session information. Session caching is highly recommended, because the cost of repeatedly negotiating TLS session keys is high. This guide will show you how to set up a TLS session cache.

This guide assumes you already have a working Postfix installation and are using TLS for some purpose (whether with client-side certificates, server-side certificates or both).

This article does not currently deal with setting up caching for encrypted LMTP sessions.

Storage Format

There are limits on which of the Postfix lookup table types you can use. The key restraints are that the database must be writable, so none of the formats marked "(read-only)" can be used, and the objects stored are relatively large, so dbm and sdbm formats cannot be used.

The Postfix examples use btree, so if unsure, use that as it will certainly work. This article will use the btree format.


Storage Location

From Postfix 2.5, Postfix no longer uses root priviliges when accessing the TLS session cache. As such, the recommended location for the file is now inside the Postfix data_directory, which by default is /var/lib/postfix.

Caching for Server-Side Certificate Setups (smtpd)

To setup the TLS session cache for smtpd, set the following:

 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

Cached information expires after a certain amount of time. Postfix does not use the OpenSSL default of 300s, but a longer time of 3600sec (1 hour). RFC 2246 recommends a maximum of 24 hours. You can change the expiration time by setting:

 smtpd_tls_session_cache_timeout = 3600s

Caching for Client-Side Certificate Setups (smtp)

To setup the TLS session cache for smtp, set the following:

 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

Cached information expires after a certain amount of time. Postfix does not use the OpenSSL default of 300s, but a longer time of 3600sec (1 hour). RFC 2246 recommends a maximum of 24 hours. You can change the expiration time by setting:

 smtp_tls_session_cache_timeout = 3600s
Retrieved from "http://www.gentoo-wiki.info/Postfix_TLS/Session_Cache"

Last modified: Fri, 13 Jun 2008 13:28:00 +0000 Hits: 562