Re: Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart
Kostya Vasilyev
kman at fastmail.com
Thu Mar 14 11:17:36 EET 2019
On Thu, Mar 14, 2019, at 12:09 PM, Yassine Chaouche via dovecot wrote:
> On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
>
> > [...] the way we have configured exim, it neither needs reload or
> > restart but reads the certificate file every time it has to use it.
>
> What happens if you goof off in the middle of an opeartion, temporarily
> putting a wrong file instead of the new certificate, and exim starts
> delivering the new broken certificate right away ? or breaks ? or
> clients can't connect anymore with TLS ? or don't connect at all if you
> don't allow non-TLS connexions ?
>
> Yassine.
>
>
Getting caught in the middle of a cert file or key file update should not happen -- a process that already opened a file will continue to be reading from that file, even if it gets renamed.
But what if exim (or some other process) happens to read the "old" certificate file - and then the "new" private key file (or vice versa)?
A race condition like this seems unlikely but technically possible.
-- K
More information about the dovecot
mailing list