On Friday 08 of September 2017, Ralph Seichter wrote:
On 08.09.2017 16:20, LuKreme wrote:
However, it seems like checking the certs is something that dovecot should be doing on its own.
What is Dovecot supposed to do? Keep track of the certificate expiry date?
That was already discussed but due to other reason. dovecot shouldn't load SSL certificates into memory and instead open & load cert on demand (when client connects and requests particular domain via SNI (or default if no SNI)).
Why? Because dovecot *cannot* handle thousands of virtual domains and SSL certificates for these. It wastes so much RAM and timeouts on reloads in such case. Tested here. [1]
That's why the only sensible solution is to work like exim - load cert from disk on demand.
That fixes both problems - ram wasting/timeouts and refreshing certificates.
-Ralph
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )