diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index b373fb13..2c2b568d 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -100,7 +100,7 @@ http {
       include /etc/nginx/tls.conf;
       ssl_stapling on;
       ssl_stapling_verify on;
-      ssl_session_cache shared:SSLHTTP:50m;
+      ssl_session_cache shared:SSLHTTP:3m;
       add_header Strict-Transport-Security 'max-age=31536000';
 
       {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
@@ -284,7 +284,7 @@ mail {
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;
-    ssl_session_cache shared:SSLMAIL:50m;
+    ssl_session_cache shared:SSLMAIL:3m;
     {% endif %}
 
     # Advertise real capabilities of backends (postfix/dovecot)
diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 3970ed33..93a2f39f 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -6,7 +6,7 @@ ssl_certificate_key {{ TLS[3] }};
 ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem;
 {% endif %}
 ssl_session_timeout 1d;
-ssl_session_tickets off;
+ssl_session_tickets off; # this can be removed when we have nginx v1.23.2
 ssl_dhparam /conf/dhparam.pem;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
diff --git a/towncrier/newsfragments/2605.misc b/towncrier/newsfragments/2605.misc
new file mode 100644
index 00000000..aec69c5c
--- /dev/null
+++ b/towncrier/newsfragments/2605.misc
@@ -0,0 +1 @@
+Reduce the SSL session caches from 50m each to 3m each. This should be good for 12k sessions (within 1day) for each cache and will help reduce memory usage.