Dovecot and Letsencrypt certs

[Robert Wolf]

On Wed, 13 Sep 2017, Luigi Rosa wrote:

> Robert Wolf wrote on 13/09/2017 10:26:
> 
> > are you sure? What is the refresh time? Instantly or with some delay? Have
> > you
> > tested what happens if I install new key, but I delay installing correct
> > certificate? Does postfix keep the old key+cert or stop using any cert
> > because
> > the new key is not correct for the current(old) certificate?
> > 
> > On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8
> > I
> > have to reload postfix. Postfix can use the same key+cert even if I deleted
> > these files.
> 
> Two days ago Viktor Dukhovni wrote on Postfix ML:
> 
> /*
> If you run certbot often enough to renew well in advance of expiration,
> reloads of Postfix are unnecessary, and just needlessly interrupt orderly
> processing of email by the queue manager.  Usually the new certificate will
> be automatically in use within "$max_idle * $max_use" seconds, and typically
> sooner, because processes either idle out quickly or reach the re-use limit
> quickly, handling $max_use connections that are exactly $max_idle apart is
> rather unlikely  By default that's 10000 seconds or just under 3 hours.
> */


Hi Luigi,

you are right! The smtpd process really start using new certificate+key after 
this timeout (tested with max_use=1). OK, I thought it works similar as rsync 
daemon: the config file is read on new connection, because it starts new 
process. Similarly, the postfix master process starts the smtpd processes and 
they read config and cert+key again. It's clear now.

Still, I prefer to do reload if required and not wait until some timeout 
expires. And e.g. getssl client can check, if the certificate was correctly 
installed. And for this check it needs to run "reload".

And I prefer reload cert+key manually instead of automatically to be sure, WHEN 
it will be done.

So I am ok with dovecot to load cert+key on start and reload:-)


Regards,

Robert.