Dovecot and Letsencrypt certs
Daniel Miller
dmiller at amfes.com
Tue Sep 12 19:26:33 EEST 2017
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
/usr/local/sbin/dovecot reload
/usr/sbin/postfix reload
fi
Daniel
On 9/11/2017 1:57 PM, Joseph Tam wrote:
> <master at remort.net> writes:
>
>> "writing a script to check the certs" - there is no need to write any
>> scripts. As one mentioned, it's done by a hook to certbot. Please read
>> the manuals for LE or certbot. The issue you have is quite common and
>> of course certbot designed to do it for you.
>
> Won't work, of course, if you employ the least-privilege security
> principle
> and run the certbot as a non-privileged user. You'll need a script with
> administrator privileges to detect cert renewals and restart the service.
>
> I can't willy-nilly restart dovecot to pick up renewed certs without
> webmail disruptions. (My webmail uses persistent IMAP sessions.)
> All users get dumped and need to re-authenticate. If a user happens to
> be drafting a message that took 2 hours to compose, I will surely hear
> about it. I should probably install a IMAP proxy to isolate the effects
> of restarts. Most mail readers cope with restarts just fine, though.
>
> Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list