> On Apr 12, 2018, at 7:29 PM, Ian R. Bennett <i...@maleficarum.org> wrote:
>
>> I am needing to replace the certificate and key. Are they read and
>> cached when postfix starts, or are they read during normal mail
>> handling? In other words, can I replace the files or do I need to do
>> a reload or restart of the service afterwards?
>
> You'll need to restart postfix.
That's false. Each smtpd(8) process handles a limited number of
connections ($max_use, default 100) and exits. It also exits when
idle for sufficiently long ($max_idle, default 100s).
Since each smtpd(8) process reads the certificates for itself, unless
the cert/key rotation is extremely urgent (the current cert is
expired and causes problems, i.e. key rotation is too already too
late) there no need for a restart.
And even when the key rotation is urgent "postfix reload" is sufficient,
you don't need to restart. This allows existing connections to finish
gracefully.
--
--
Viktor.
