On 02/09/2022 22:45, John Stoffel wrote:>>>>>> "Bartosz" == Bartosz Kwitniewski <zerg-dovecot@uid0.pl> writes:
Out of other services on that machine that are able to handle such number of certificates during reloads:
- proftpd loads configs dynamically based on SNI domain
- exim loads certificates dynamically based on SNI domain
- LiteSpeed switches to a new process after loading whole configuration
Are you running all these services on one machine? Maybe you could get an SSL termination device which terminates the SSL connections and then forwards them into the proper backend application? This way only one system needs to be managed for certs, and only one (or two since I assume you have an HA pair :-) needs to then reload when new certs are inserted.
If you could hack the proftpd cert code into dovecot, that might also be a way around it. I haven't a clue how this works since I haven't looked at either code base. It won't be simple, but I'm sure others would apprecaite it.
If it's critical, paying for the feature to be added is another option.
For now they are on the same machine, we have to write our own panel for clients to get more freedom in backend choices. I was looking into HAProxy for SSL termination, but it does not support STARTTLS.
I'll try to look for workaround next week, but haven't used C for ages.
Best regards,
Bartosz Kwitniewski