[GH-ISSUE #1977] Slow TLS verification and connection establishment #1483

Closed
opened 2026-02-27 11:17:20 +03:00 by kerem · 2 comments
Owner

Originally created by @sdeepakbz on GitHub (Jun 12, 2020).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/1977

Impacted versions

  • Modoboa: 1.15.0
  • installer used: Yes
  • Webserver: Nginx

Steps to reproduce

Fresh installed using the installer and configured SMTP in WordPress website to send out order emails to the customer.

Current behavior

TLS authentication/verification is taking some time. After the connection is initiated from the external server to the SMTP modoboa server there is a pause of 5-10 seconds and then email is sent.

Connection started at Jun 12 22:39:15 and the next update on Jun 12 22:39:21 followed by connection established at Jun 12 22:39:22 timestamp. And finally, email sent at Jun 12 22:39:24
Find logs below in last section.

Expected behavior

TLS authentication to be a little faster or disable verification by using insecure 25 Port for sending out emails.

Video/Screenshot link (optional)

Attaching logs: https://del.dog/raw/resehuxegr

Server Specs

  • 8 Xeon E3 CPU Cores @ 3.4 Ghz
  • 8GB RAM
  • 100 GB SSD
  • 1 Gbit Network
Originally created by @sdeepakbz on GitHub (Jun 12, 2020). Original GitHub issue: https://github.com/modoboa/modoboa/issues/1977 # Impacted versions * Modoboa: 1.15.0 * installer used: Yes * Webserver: Nginx # Steps to reproduce Fresh installed using the installer and configured SMTP in WordPress website to send out order emails to the customer. # Current behavior TLS authentication/verification is taking some time. After the connection is initiated from the external server to the SMTP modoboa server there is a pause of 5-10 seconds and then email is sent. Connection started at Jun 12 22:39:15 and the next update on Jun 12 22:39:21 followed by connection established at Jun 12 22:39:22 timestamp. And finally, email sent at Jun 12 22:39:24 Find logs below in last section. # Expected behavior TLS authentication to be a little faster or disable verification by using insecure 25 Port for sending out emails. # Video/Screenshot link (optional) Attaching logs: https://del.dog/raw/resehuxegr # Server Specs * 8 Xeon E3 CPU Cores @ 3.4 Ghz * 8GB RAM * 100 GB SSD * 1 Gbit Network
kerem closed this issue 2026-02-27 11:17:21 +03:00
Author
Owner

@MrGeneration commented on GitHub (Jun 12, 2020):

The first three lines you provided show that the authentication takes somewhat of two seconds on your end. The TLS connection is negioated after 1 second which is fine. On my system these steps occur on the same second, but this may happen due to network latency between the client and the server:

Jun 12 22:39:13 smtp postfix/submission/smtpd[12193]: connect from unknown[149.xx.xx.xx]
Jun 12 22:39:14 smtp postfix/submission/smtpd[12193]: Anonymous TLS connection established from unknown[149.xx.xx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 12 22:39:15 smtp postfix/submission/smtpd[12193]: NOQUEUE: client=unknown[149.xx.xx.xx], sasl_method=LOGIN, sasl_username=smtp-login@domain.com

What's more interesting is the 6 seconds between submission queue and handover to the smtpd queue:

Jun 12 22:39:15 smtp postfix/submission/smtpd[12193]: NOQUEUE: client=unknown[149.xx.xx.xx], sasl_method=LOGIN, sasl_username=smtp-login@domain.com
Jun 12 22:39:21 smtp postfix/smtpd[12220]: connect from localhost[127.0.0.1]

The reason for this gap is the fact that, by default, modoboa setups are not just checking incoming mails via amavis, but outgoing as well.

This can be changed in /etc/postfix/master.cf

Your current config should contain this block:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o tls_preempt_cipherlist=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=inet:[127.0.0.1]:10026

The last line is the filter option, if you comment that out and reload your postfix, the delay will be gone.

<!-- gh-comment-id:643442885 --> @MrGeneration commented on GitHub (Jun 12, 2020): The first three lines you provided show that the authentication takes somewhat of two seconds on your end. The TLS connection is negioated after 1 second which is fine. On my system these steps occur on the same second, but this may happen due to network latency between the client and the server: ``` Jun 12 22:39:13 smtp postfix/submission/smtpd[12193]: connect from unknown[149.xx.xx.xx] Jun 12 22:39:14 smtp postfix/submission/smtpd[12193]: Anonymous TLS connection established from unknown[149.xx.xx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jun 12 22:39:15 smtp postfix/submission/smtpd[12193]: NOQUEUE: client=unknown[149.xx.xx.xx], sasl_method=LOGIN, sasl_username=smtp-login@domain.com ``` What's more interesting is the 6 seconds between submission queue and handover to the smtpd queue: ``` Jun 12 22:39:15 smtp postfix/submission/smtpd[12193]: NOQUEUE: client=unknown[149.xx.xx.xx], sasl_method=LOGIN, sasl_username=smtp-login@domain.com Jun 12 22:39:21 smtp postfix/smtpd[12220]: connect from localhost[127.0.0.1] ``` The reason for this gap is the fact that, by default, modoboa setups are not just checking incoming mails via amavis, but outgoing as well. This can be changed in `/etc/postfix/master.cf` Your current config should contain this block: ``` submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=reject_sender_login_mismatch -o milter_macro_daemon_name=ORIGINATING -o smtpd_proxy_filter=inet:[127.0.0.1]:10026 ``` The last line is the filter option, if you comment that out and reload your postfix, the delay will be gone.
Author
Owner

@sdeepakbz commented on GitHub (Jun 13, 2020):

@MrGeneration thanks alot.
that actually fixed the delay when sending out emails.
Perfect :)

<!-- gh-comment-id:643614118 --> @sdeepakbz commented on GitHub (Jun 13, 2020): @MrGeneration thanks alot. that actually fixed the delay when sending out emails. Perfect :)
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1483
No description provided.