On Friday 08 of September 2017, Ralph Seichter wrote: > On 08.09.2017 16:20, LuKreme wrote:
> > However, it seems like checking the certs is something that dovecot > > should be doing on its own. > > What is Dovecot supposed to do? Keep track of the certificate expiry > date? That was already discussed but due to other reason. dovecot shouldn't load SSL certificates into memory and instead open & load cert on demand (when client connects and requests particular domain via SNI (or default if no SNI)). Why? Because dovecot *cannot* handle thousands of virtual domains and SSL certificates for these. It wastes so much RAM and timeouts on reloads in such case. Tested here. [1] That's why the only sensible solution is to work like exim - load cert from disk on demand. That fixes both problems - ram wasting/timeouts and refreshing certificates. > -Ralph 1. https://dovecot.org/list/dovecot/2016-October/105855.html -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
