Re: Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart

Kostya Vasilyev kman at fastmail.com
Thu Mar 14 11:17:36 EET 2019


On Thu, Mar 14, 2019, at 12:09 PM, Yassine Chaouche via dovecot wrote:
> On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
> 
> > [...] the way we have configured exim, it neither needs reload or 
> > restart but reads the certificate file every time it has to use it.
> 
> What happens if you goof off in the middle of an opeartion, temporarily 
> putting a wrong file instead of the new certificate, and exim starts 
> delivering the new broken certificate right away ? or breaks ? or 
> clients can't connect anymore with TLS ? or don't connect at all if you 
> don't allow non-TLS connexions ?
> 
> Yassine.
> 
>

Getting caught in the middle of a cert file or key file update should not happen  -- a process that already opened a file will continue to be reading from that file, even if it gets renamed.

But what if exim (or some other process) happens to read the "old" certificate file - and then the "new" private key file (or vice versa)?

A race condition like this seems unlikely but technically possible.

-- K


More information about the dovecot mailing list