> On 12 April 2018, at 16:35, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > > >> On Apr 12, 2018, at 7:29 PM, Ian R. Bennett <i...@maleficarum.org> wrote: >> >>> I am needing to replace the certificate and key. Are they read and >>> cached when postfix starts, or are they read during normal mail >>> handling? In other words, can I replace the files or do I need to do >>> a reload or restart of the service afterwards? >> >> You'll need to restart postfix. > > That's false. Each smtpd(8) process handles a limited number of > connections ($max_use, default 100) and exits. It also exits when > idle for sufficiently long ($max_idle, default 100s). > > Since each smtpd(8) process reads the certificates for itself, unless > the cert/key rotation is extremely urgent (the current cert is > expired and causes problems, i.e. key rotation is too already too > late) there no need for a restart. > > And even when the key rotation is urgent "postfix reload" is sufficient, > you don't need to restart. This allows existing connections to finish > gracefully.
That is even better. Thanks for the correction. Since the replacement is not time critical, the old certificates will have a few days validity remaining. One of those limits will certainly be reached by then. -- Doug
