Dovecot and Letsencrypt certs

Daniel Miller dmiller at amfes.com
Tue Sep 12 19:34:13 EEST 2017


And remove that "postfix reload" command - Postfix doesn't require 
explicit reloading. It'll pickup the changed cert automagically.

Daniel

On 9/12/2017 9:26 AM, Daniel Miller wrote:
> What's wrong with using a certbot "post-hook" script such as:
>
> #!/bin/bash
> echo "Letsencrypt renewal hook running..."
> echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
> echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
>
> if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
>     /usr/local/sbin/dovecot reload
>    /usr/sbin/postfix reload
> fi
>
> Daniel
>
> On 9/11/2017 1:57 PM, Joseph Tam wrote:
>> <master at remort.net> writes:
>>
>>> "writing a script to check the certs" - there is no need to write any
>>> scripts. As one mentioned, it's done by a hook to certbot. Please read
>>> the manuals for LE or certbot. The issue you have is quite common and
>>> of course certbot designed to do it for you.
>>
>> Won't work, of course, if you employ the least-privilege security 
>> principle
>> and run the certbot as a non-privileged user.  You'll need a script with
>> administrator privileges to detect cert renewals and restart the 
>> service.
>>
>> I can't willy-nilly restart dovecot to pick up renewed certs without
>> webmail disruptions.  (My webmail uses persistent IMAP sessions.)
>> All users get dumped and need to re-authenticate.  If a user happens to
>> be drafting a message that took 2 hours to compose, I will surely hear
>> about it.  I should probably install a IMAP proxy to isolate the effects
>> of restarts.  Most mail readers cope with restarts just fine, though.
>>
>> Joseph Tam <jtam.home at gmail.com>



More information about the dovecot mailing list