On 08 Sep 2017, at 10:08, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:> What is Dovecot supposed to do? Keep track of the certificate expiry > date? And if that is passed, then what? Automatically shutdown/restart? > What if the certificate has not been updated in between? I think that > handling certificates is better left to the administrator.How I would do it is IF the certificate is expired, the dovecot should check if there is a new cert and if so, load it. This prevents a failure event, but doesn't interfere with reloading the cert when it is renewed. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 08.09.2017 19:51, @lbutlr wrote:> How I would do it is IF the certificate is expired, the dovecot should > check if there is a new cert and if so, load it.New cert as in file modification date or checksum changed? Might work. Still, from what I seem to remember, Dovecot loads certificate data before dropping privileges, which is why reloading the data might be problematic without some changes. Not worth spending development effort on, IMO, given that Dovecot can easily be restarted by the external processes that update the cert (like Certbot hook, Ansible, etc.). -Ralph
On 08 Sep 2017, at 12:21, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:> On 08.09.2017 19:51, @lbutlr wrote: >> How I would do it is IF the certificate is expired, the dovecot should >> check if there is a new cert and if so, load it.> New cert as in file modification date or checksum changed?Either one, but checksum is going to be more reliable.> Might work. Still, from what I seem to remember, Dovecot loads certificate data before dropping privileges, which is why reloading the data might be problematic without some changes.Can't dovecot reload itself? That could be a problem if not.> Not worth spending development effort on, IMO, given that Dovecot can easily be restarted by the external processes that update the cert (like Certbot hook, Ansible, etc.).All I'm saying is that it's a failure event that doesn't need to occur. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.