postfix-3.4-20180701

postfix/HISTORY

@@ -23587,3 +23587,10 @@ Apologies for any names omitted.
 
 	Documentation: the connection caching limitation for SMTP
 	over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html.
+
+20180701
+
+	Incompatibility: the tlsproxy(8) daemon now requires a zero
+	process limit in master.cf (this setting is provided with
+	the default master.cf file). See RELEASE_NOTES for how to
+	change the tlsproxy process limit. File: tlsproxy/tlsproxy.c.

postfix/README_FILES/TLS_README

@@ -1436,10 +1436,10 @@ Example:
 CClliieenntt--ssiiddee TTLLSS ccoonnnneeccttiioonn rreeuussee
 
 Historically, the Postfix SMTP client has supported multiple deliveries per
-connection only for plaintext connections. Postfix 3.4 introduces the ability
-to make multiple deliveries per TLS-encrypted connection. This is primarily to
-improve mail delivery performance for destinations that throttle clients when
-they don't combine deliveries.
+plaintext connection. Postfix 3.4 introduces support for multiple deliveries
+per TLS-encrypted connection. Multiple deliveries per connection improve mail
+delivery performance, especially for destinations that throttle clients that
+don't combine deliveries.
 
 To enable multiple deliveries per TLS connection, specify:
 

postfix/RELEASE_NOTES

@@ -25,6 +25,21 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
+Incompatble change with snapshot 20180701
+=========================================
+
+To avoid performance loss under load, the tlsproxy(8) daemon now
+requires a zero process limit in master.cf (this setting is provided
+with the default master.cf file). As tlsproxy(8) processes become
+too busy handling TLS connections, more processes will automatically
+be added. By default, a tlsproxy(8) process will retire after several
+hours.
+
+To set the tlsproxy process limit to zero:
+
+# postconf -F tlsproxy/unix/process_limit=0
+# postfix reload
+
 Major changes with snapshot 20180617
 ====================================
 
@@ -38,15 +53,12 @@ main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
 It supports all Postfix TLS security levels including dane and
 dane-only.
 
-With connection reuse enabled as described above, the Postfix SMTP
-client uses the tlsproxy(8) server to encrypt a connection (even under
-low-traffic conditions). The tlsproxy(8) service was introduced in
-Postfix 2.8, to support STARTTLS in postscreen(8).
-
-Under high-traffic conditions, the Postfix SMTP client will use the
-scache(8) connection cache to store and retrieve open connections.
-This part already existed for plaintext SMTP, and it works in the
-same way for TLS-encrypted connections.
+The implementation of TLS connection reuse relies on the same
+scache(8) service as used for delivering plaintext SMTP mail, the
+same tlsproxy(8) daemon as used by the postscreen(8) service for
+inbound connections, and relies on the same hints from the qmgr(8)
+daemon. It reuses the configuration parameters described in
+CONNECTION_CACHE_README.
 
 The following illustrates how TLS connections are reused:
 

postfix/html/TLS_README.html

@@ -1913,10 +1913,10 @@ when the certificate is needed.  </p>
 <h3><a name="client_tls_reuse">Client-side TLS connection reuse</a> </h3>
 
 <p> Historically, the Postfix SMTP client has supported multiple
-deliveries per connection only for plaintext connections. Postfix
-3.4 introduces the ability to make multiple deliveries per TLS-encrypted
-connection. This is primarily to improve mail delivery performance
-for destinations that throttle clients when they don't combine
+deliveries per plaintext connection. Postfix 3.4 introduces support
+for multiple deliveries per TLS-encrypted connection. Multiple
+deliveries per connection improve mail delivery performance,
+especially for destinations that throttle clients that don't combine
 deliveries. </p>
 
 <p> To enable multiple deliveries per TLS connection, specify:</p>

postfix/proto/TLS_README.html

@@ -1913,10 +1913,10 @@ when the certificate is needed.  </p>
 <h3><a name="client_tls_reuse">Client-side TLS connection reuse</a> </h3>
 
 <p> Historically, the Postfix SMTP client has supported multiple
-deliveries per connection only for plaintext connections. Postfix
-3.4 introduces the ability to make multiple deliveries per TLS-encrypted
-connection. This is primarily to improve mail delivery performance
-for destinations that throttle clients when they don't combine
+deliveries per plaintext connection. Postfix 3.4 introduces support
+for multiple deliveries per TLS-encrypted connection. Multiple
+deliveries per connection improve mail delivery performance,
+especially for destinations that throttle clients that don't combine
 deliveries. </p>
 
 <p> To enable multiple deliveries per TLS connection, specify:</p>

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20180624"
+#define MAIL_RELEASE_DATE	"20180701"
 #define MAIL_VERSION_NUMBER	"3.4"
 
 #ifdef SNAPSHOT

postfix/src/tlsproxy/tlsproxy.c

@@ -1331,6 +1331,7 @@ int     main(int argc, char **argv)
 		      CA_MAIL_SERVER_SLOW_EXIT(tlsp_drain),
 		      CA_MAIL_SERVER_RETIRE_ME,
 		      CA_MAIL_SERVER_WATCHDOG(&var_tlsp_watchdog),
+		      CA_MAIL_SERVER_UNLIMITED,
 		      0);
 }