Re: Dovecot and Letsencrypt certs
And remove that "postfix reload" command - Postfix doesn't require explicit reloading. It'll pickup the changed cert automagically.
Daniel
On 9/12/2017 9:26 AM, Daniel Miller wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash echo "Letsencrypt renewal hook running..." echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then /usr/local/sbin/dovecot reload /usr/sbin/postfix reload fi
Daniel
On 9/11/2017 1:57 PM, Joseph Tam wrote:
master@remort.net writes:
"writing a script to check the certs" - there is no need to write any scripts. As one mentioned, it's done by a hook to certbot. Please read the manuals for LE or certbot. The issue you have is quite common and of course certbot designed to do it for you.
Won't work, of course, if you employ the least-privilege security principle and run the certbot as a non-privileged user. You'll need a script with administrator privileges to detect cert renewals and restart the service.
I can't willy-nilly restart dovecot to pick up renewed certs without webmail disruptions. (My webmail uses persistent IMAP sessions.) All users get dumped and need to re-authenticate. If a user happens to be drafting a message that took 2 hours to compose, I will surely hear about it. I should probably install a IMAP proxy to isolate the effects of restarts. Most mail readers cope with restarts just fine, though.
Joseph Tam jtam.home@gmail.com
On Tue, 12 Sep 2017, Daniel Miller wrote:
And remove that "postfix reload" command - Postfix doesn't require explicit reloading. It'll pickup the changed cert automagically.
Daniel
Hoi Daniel,
are you sure? What is the refresh time? Instantly or with some delay? Have you tested what happens if I install new key, but I delay installing correct certificate? Does postfix keep the old key+cert or stop using any cert because the new key is not correct for the current(old) certificate?
On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I have to reload postfix. Postfix can use the same key+cert even if I deleted these files.
Reagrds,
Robert.
Robert Wolf wrote on 13/09/2017 10:26:
are you sure? What is the refresh time? Instantly or with some delay? Have you tested what happens if I install new key, but I delay installing correct certificate? Does postfix keep the old key+cert or stop using any cert because the new key is not correct for the current(old) certificate?
On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I have to reload postfix. Postfix can use the same key+cert even if I deleted these files.
Two days ago Viktor Dukhovni wrote on Postfix ML:
/* If you run certbot often enough to renew well in advance of expiration, reloads of Postfix are unnecessary, and just needlessly interrupt orderly processing of email by the queue manager. Usually the new certificate will be automatically in use within "$max_idle * $max_use" seconds, and typically sooner, because processes either idle out quickly or reach the re-use limit quickly, handling $max_use connections that are exactly $max_idle apart is rather unlikely By default that's 10000 seconds or just under 3 hours. */
--
Ciao, luigi
/ +--[Luigi Rosa]-- \
Statistics: The only science that enables different experts using the same figures to draw different conclusions. --Evan Esar
On Wed, 13 Sep 2017, Luigi Rosa wrote:
Robert Wolf wrote on 13/09/2017 10:26:
are you sure? What is the refresh time? Instantly or with some delay? Have you tested what happens if I install new key, but I delay installing correct certificate? Does postfix keep the old key+cert or stop using any cert because the new key is not correct for the current(old) certificate?
On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I have to reload postfix. Postfix can use the same key+cert even if I deleted these files.
Two days ago Viktor Dukhovni wrote on Postfix ML:
/* If you run certbot often enough to renew well in advance of expiration, reloads of Postfix are unnecessary, and just needlessly interrupt orderly processing of email by the queue manager. Usually the new certificate will be automatically in use within "$max_idle * $max_use" seconds, and typically sooner, because processes either idle out quickly or reach the re-use limit quickly, handling $max_use connections that are exactly $max_idle apart is rather unlikely By default that's 10000 seconds or just under 3 hours. */
Hi Luigi,
you are right! The smtpd process really start using new certificate+key after this timeout (tested with max_use=1). OK, I thought it works similar as rsync daemon: the config file is read on new connection, because it starts new process. Similarly, the postfix master process starts the smtpd processes and they read config and cert+key again. It's clear now.
Still, I prefer to do reload if required and not wait until some timeout expires. And e.g. getssl client can check, if the certificate was correctly installed. And for this check it needs to run "reload".
And I prefer reload cert+key manually instead of automatically to be sure, WHEN it will be done.
So I am ok with dovecot to load cert+key on start and reload:-)
Regards,
Robert.
participants (3)
-
Daniel Miller
-
Luigi Rosa
-
Robert Wolf