Hello everybody, I use `smtpd_tls_chain_files` to set the X.509 certificate (and key) for Postfix. Do I have to reload Postfix, e.g. via `systemctrl reload postfix.service` after the certificate (and key) file has been renewed? The following sentence in https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files suggests that this is not necessary:
> Storing the private key in the same file as the corresponding certificate > is more reliable. > With the key and certificate in separate files, there is a chance that > during key rollover a Postfix process might load a private key and > certificate from separate files that don't match. This sound to me as Postfix would pick up the new certificate at some point eventually even without reloading. Maybe not immediately, but that would not be necessary as certificate are renewed weeks before the previous certificate expires. Also note, that the file which is configured in `smtpd_tls_chain_files` is only a symbolic link, e.g. # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem lrwxrwxrwx 1 root root 51 11. Mar 21:44 /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem -> ../../archive/my-host.my-domain.tld:smtps/fullchain3.pem I am just point that out in case the answer depends on that. Bests, Matthias _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
