Dovecot and Letsencrypt certs
Joseph Tam
jtam.home at gmail.com
Mon Sep 11 23:57:27 EEST 2017
<master at remort.net> writes:
> "writing a script to check the certs" - there is no need to write any
> scripts. As one mentioned, it's done by a hook to certbot. Please read
> the manuals for LE or certbot. The issue you have is quite common and
> of course certbot designed to do it for you.
Won't work, of course, if you employ the least-privilege security principle
and run the certbot as a non-privileged user. You'll need a script with
administrator privileges to detect cert renewals and restart the service.
I can't willy-nilly restart dovecot to pick up renewed certs without
webmail disruptions. (My webmail uses persistent IMAP sessions.)
All users get dumped and need to re-authenticate. If a user happens to
be drafting a message that took 2 hours to compose, I will surely hear
about it. I should probably install a IMAP proxy to isolate the effects
of restarts. Most mail readers cope with restarts just fine, though.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list