On Sun, Jan 20, 2013 at 05:17:19PM -0500, Jon A. wrote:
> It appears that memcache may only be used for dynamic content (write) for
> - postscreen whitelist cache
> - address verification cache
> - TLS session key cache
I would not use memcache for TLS session state. This is pointless
unless your servers are behind a load balancer, and also unnecessary
if the sending system uses the Postfix SMTP client's algorithm to
distinguish between multiple MTAs sharing a common TCP service
endpoint (perhaps by now Postfix is not the only MTA able to do this).
Regardless you need to hide the memcache TCP endpoint behind a
firewall to prevent unauthorized access by anything other than
the intended Postfix processes.
Better yet, use a proxy that does mutual authentication and
uses unix-domain sockets on both ends (and an authenticated
TCP stream in the middle).