And remove that "postfix reload" command - Postfix doesn't require explicit reloading. It'll pickup the changed cert automagically. Daniel On 9/12/2017 9:26 AM, Daniel Miller wrote:> What's wrong with using a certbot "post-hook" script such as: > > #!/bin/bash > echo "Letsencrypt renewal hook running..." > echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" > echo "RENEWED_LINEAGE=$RENEWED_LINEAGE" > > if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then > ??? /usr/local/sbin/dovecot reload > ?? /usr/sbin/postfix reload > fi > > Daniel > > On 9/11/2017 1:57 PM, Joseph Tam wrote: >> <master at remort.net> writes: >> >>> "writing a script to check the certs" - there is no need to write any >>> scripts. As one mentioned, it's done by a hook to certbot. Please read >>> the manuals for LE or certbot. The issue you have is quite common and >>> of course certbot designed to do it for you. >> >> Won't work, of course, if you employ the least-privilege security >> principle >> and run the certbot as a non-privileged user.? You'll need a script with >> administrator privileges to detect cert renewals and restart the >> service. >> >> I can't willy-nilly restart dovecot to pick up renewed certs without >> webmail disruptions.? (My webmail uses persistent IMAP sessions.) >> All users get dumped and need to re-authenticate.? If a user happens to >> be drafting a message that took 2 hours to compose, I will surely hear >> about it.? I should probably install a IMAP proxy to isolate the effects >> of restarts.? Most mail readers cope with restarts just fine, though. >> >> Joseph Tam <jtam.home at gmail.com>
On Tue, 12 Sep 2017, Daniel Miller wrote:> And remove that "postfix reload" command - Postfix doesn't require explicit > reloading. It'll pickup the changed cert automagically. > > DanielHoi Daniel, are you sure? What is the refresh time? Instantly or with some delay? Have you tested what happens if I install new key, but I delay installing correct certificate? Does postfix keep the old key+cert or stop using any cert because the new key is not correct for the current(old) certificate? On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I have to reload postfix. Postfix can use the same key+cert even if I deleted these files. Reagrds, Robert.
Robert Wolf wrote on 13/09/2017 10:26:> are you sure? What is the refresh time? Instantly or with some delay? Have you > tested what happens if I install new key, but I delay installing correct > certificate? Does postfix keep the old key+cert or stop using any cert because > the new key is not correct for the current(old) certificate? > > On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I > have to reload postfix. Postfix can use the same key+cert even if I deleted > these files.Two days ago Viktor Dukhovni wrote on Postfix ML: /* If you run certbot often enough to renew well in advance of expiration, reloads of Postfix are unnecessary, and just needlessly interrupt orderly processing of email by the queue manager. Usually the new certificate will be automatically in use within "$max_idle * $max_use" seconds, and typically sooner, because processes either idle out quickly or reach the re-use limit quickly, handling $max_use connections that are exactly $max_idle apart is rather unlikely By default that's 10000 seconds or just under 3 hours. */ -- Ciao, luigi / +--[Luigi Rosa]-- \ Statistics: The only science that enables different experts using the same figures to draw different conclusions. --Evan Esar