DevHeads.net

Certificate Replacement

I am needing to replace the certificate and key. Are they read and cached when postfix starts, or are they read during normal mail handling? In other words, can I replace the files or do I need to do a reload or restart of the service afterwards?

-- Doug

Comments

Re: Certificate Replacement

By Ian R. Bennett at 04/12/2018 - 19:29

On 2018-04-12 16:25, Doug Hardie wrote:
You'll need to restart postfix.

/i.

Re: Certificate Replacement

By Viktor Dukhovni at 04/12/2018 - 19:35

That's false. Each smtpd(8) process handles a limited number of
connections ($max_use, default 100) and exits. It also exits when
idle for sufficiently long ($max_idle, default 100s).

Since each smtpd(8) process reads the certificates for itself, unless
the cert/key rotation is extremely urgent (the current cert is
expired and causes problems, i.e. key rotation is too already too
late) there no need for a restart.

And even when the key rotation is urgent "postfix reload" is sufficient,
you don't need to restart. This allows existing connections to finish
gracefully.

Re: Certificate Replacement

By Doug Hardie at 04/12/2018 - 20:01

That is even better. Thanks for the correction. Since the replacement is not time critical, the old certificates will have a few days validity remaining. One of those limits will certainly be reached by then.

-- Doug

Re: Certificate Replacement

By Doug Hardie at 04/12/2018 - 19:31

-- Doug

Thanks. I suspect then the best approach is to stop the service, replace the certificates, and then start the service again. That is what I am having to do for dovecot anyway.

-- Doug