Dovecot and Letsencrypt certs
Arkadiusz Miśkiewicz
arekm at maven.pl
Mon Sep 11 10:52:04 EEST 2017
On Friday 08 of September 2017, Ralph Seichter wrote:
> On 08.09.2017 16:20, LuKreme wrote:
> > However, it seems like checking the certs is something that dovecot
> > should be doing on its own.
>
> What is Dovecot supposed to do? Keep track of the certificate expiry
> date?
That was already discussed but due to other reason. dovecot shouldn't load SSL
certificates into memory and instead open & load cert on demand (when client
connects and requests particular domain via SNI (or default if no SNI)).
Why? Because dovecot *cannot* handle thousands of virtual domains and SSL
certificates for these. It wastes so much RAM and timeouts on reloads in such
case. Tested here. [1]
That's why the only sensible solution is to work like exim - load cert from
disk on demand.
That fixes both problems - ram wasting/timeouts and refreshing certificates.
> -Ralph
1. https://dovecot.org/list/dovecot/2016-October/105855.html
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
More information about the dovecot
mailing list