Renewing certificates

[Kenneth Porter]

I'm setting up certbot/letsencrypt to provide a certificate for dovecot and 
sendmail. Is it necessary to restart dovecot to load the new certificate, 
as shown in most examples I find in blogs? That seems rude to established 
connections. When does dovecot read the cert and key files? Once at startup 
or each time a connection requests SSL? Is there a preferred locking 
protocol when changing the two files to keep dovecot from reading one while 
the other is being replaced and getting a mismatched pair?