On Sep 8, 2017, at 07:56, Darac Marjal <mailinglist at darac.org.uk> wrote:> #!/bin/bash > > set -e > set -u > set -o pipefail > > if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then > echo " + Hook: Restarting Dovecot..." > /usr/sbin/service dovecot restart > fi > > That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted.That is a great solution, but I think it?s probably easier to just kick dovecot once a month. 4 4 4 * * service dovecot restart However, it seems like checking the certs is something that dovecot should be doing on its own. -- This is my signature. There are many like it, but this one is mine.
"I think it?s probably easier to just kick dovecot once a month." - that's not good from system administration's point of view. You can get into trouble when certificate is renewed but dovecot isn't reloaded yet. And, doing something via cron just by-guess, once a month - is a no no logic. "it seems like checking the certs is something that dovecot should be doing on its own" if dovecot loads it in memory, it shouldn't reread certificates. Why to take servers resources just 'because of something may be changed' restarting dovecot with no need ? And, never do restart if reload suits your needs. But check it first, if reload action rereads certificate from file system. 2017-09-08 19:20 GMT+05:00 LuKreme <kremels at kreme.com>:> On Sep 8, 2017, at 07:56, Darac Marjal <mailinglist at darac.org.uk> wrote: >> #!/bin/bash >> >> set -e >> set -u >> set -o pipefail >> >> if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then >> echo " + Hook: Restarting Dovecot..." >> /usr/sbin/service dovecot restart >> fi >> >> That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted. > > That is a great solution, but I think it?s probably easier to just kick dovecot once a month. > > 4 4 4 * * service dovecot restart > > However, it seems like checking the certs is something that dovecot should be doing on its own. > > -- > This is my signature. There are many like it, but this one is mine.
On 08.09.2017 16:20, LuKreme wrote:> That is a great solution, but I think it?s probably easier to just > kick dovecot once a month.Certbot hooks are very easy to write, and are only executed when the certificate is updated. In that light, I can see no advantage in "kick dovecot once a month". ;-)> However, it seems like checking the certs is something that dovecot > should be doing on its own.What is Dovecot supposed to do? Keep track of the certificate expiry date? And if that is passed, then what? Automatically shutdown/restart? What if the certificate has not been updated in between? I think that handling certificates is better left to the administrator. -Ralph
On 08 Sep 2017, at 09:28, ????? ????? <master at remort.net> wrote:> "I think it?s probably easier to just kick dovecot once a month." - > that's not good from system administration's point of view. You can > get into trouble when certificate is renewed but dovecot isn't > reloaded yet.That's simply not possible. The cert renews well before it expires.> "it seems like checking the certs is something that dovecot should be > doing on its own" if dovecot loads it in memory, it shouldn't reread > certificates.Of course it should because certs are DESIGNED to expire and MUST expire, and dovecot certainly has the ability to see when the cert expires.> Why to take servers resources just 'because of something > may be changed'Something WILL be changed, absolutely certain of that. All certs expire.> restarting dovecot with no need ?restarting/reloading dovecot is trivial and takes far less time than writing a script to check the certs and then creating a crontab for that which also gives a tertiary point of failure. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 08 Sep 2017, at 10:08, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:> What is Dovecot supposed to do? Keep track of the certificate expiry > date? And if that is passed, then what? Automatically shutdown/restart? > What if the certificate has not been updated in between? I think that > handling certificates is better left to the administrator.How I would do it is IF the certificate is expired, the dovecot should check if there is a new cert and if so, load it. This prevents a failure event, but doesn't interfere with reloading the cert when it is renewed. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On Friday 08 of September 2017, Ralph Seichter wrote:> On 08.09.2017 16:20, LuKreme wrote:> > However, it seems like checking the certs is something that dovecot > > should be doing on its own. > > What is Dovecot supposed to do? Keep track of the certificate expiry > date?That was already discussed but due to other reason. dovecot shouldn't load SSL certificates into memory and instead open & load cert on demand (when client connects and requests particular domain via SNI (or default if no SNI)). Why? Because dovecot *cannot* handle thousands of virtual domains and SSL certificates for these. It wastes so much RAM and timeouts on reloads in such case. Tested here. [1] That's why the only sensible solution is to work like exim - load cert from disk on demand. That fixes both problems - ram wasting/timeouts and refreshing certificates.> -Ralph1. https://dovecot.org/list/dovecot/2016-October/105855.html -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )