> On Sep 11, 2017, at 4:59 AM, Gary <li...@lazygranch.com> wrote: > > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert.
This is false for Postfix. The Postfix SMTP server processes (smtpd(8) and tlsproxy(8)) that use the server certificate are short-lived (lifetime depends on the max_use and max_idle parameters). As new processes are spawned they use the new certificate. A reload is only needed if you've messed and are replacing your submission service certificate in a hurry after it has expired and you're already having problems. Otherwise, you can replace your certificate a week or so in advance, and no restarts are needed for Postfix. > Letsencrypt suggests running acme on a daily basis, so just do the same for > Postfix and Dovecot. If you are also publishing TLSA records, see: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 -- Viktor.
