On Wed, 13 Sep 2017, Luigi Rosa wrote:
Robert Wolf wrote on 13/09/2017 10:26:
are you sure? What is the refresh time? Instantly or with some delay? Have you tested what happens if I install new key, but I delay installing correct certificate? Does postfix keep the old key+cert or stop using any cert because the new key is not correct for the current(old) certificate?
On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I have to reload postfix. Postfix can use the same key+cert even if I deleted these files.
Two days ago Viktor Dukhovni wrote on Postfix ML:
/* If you run certbot often enough to renew well in advance of expiration, reloads of Postfix are unnecessary, and just needlessly interrupt orderly processing of email by the queue manager. Usually the new certificate will be automatically in use within "$max_idle * $max_use" seconds, and typically sooner, because processes either idle out quickly or reach the re-use limit quickly, handling $max_use connections that are exactly $max_idle apart is rather unlikely By default that's 10000 seconds or just under 3 hours. */
Hi Luigi,
you are right! The smtpd process really start using new certificate+key after this timeout (tested with max_use=1). OK, I thought it works similar as rsync daemon: the config file is read on new connection, because it starts new process. Similarly, the postfix master process starts the smtpd processes and they read config and cert+key again. It's clear now.
Still, I prefer to do reload if required and not wait until some timeout expires. And e.g. getssl client can check, if the certificate was correctly installed. And for this check it needs to run "reload".
And I prefer reload cert+key manually instead of automatically to be sure, WHEN it will be done.
So I am ok with dovecot to load cert+key on start and reload:-)
Regards,
Robert.