On 08 Sep 2017, at 09:28, Вадим Бажов master@remort.net wrote:
"I think it’s probably easier to just kick dovecot once a month." - that's not good from system administration's point of view. You can get into trouble when certificate is renewed but dovecot isn't reloaded yet.
That's simply not possible. The cert renews well before it expires.
"it seems like checking the certs is something that dovecot should be doing on its own" if dovecot loads it in memory, it shouldn't reread certificates.
Of course it should because certs are DESIGNED to expire and MUST expire, and dovecot certainly has the ability to see when the cert expires.
Why to take servers resources just 'because of something may be changed'
Something WILL be changed, absolutely certain of that. All certs expire.
restarting dovecot with no need ?
restarting/reloading dovecot is trivial and takes far less time than writing a script to check the certs and then creating a crontab for that which also gives a tertiary point of failure.
-- Apple broke AppleScripting signatures in Mail.app, so no random signatures.