On Thu, 11 Oct 2018 at 09:08, Ignacio Garcia <y...@ignasi.com> wrote:
> Hi there. We just started using let's encrypt certs in our mail servers. > Since renewal of the certs is done automatically, will postfix cope well > with that or will we have to restart it after the renewal takes place? > Viktor answered this one here a little while ago: > Each smtpd(8) process handles a limited number of connections ($max_use, default 100) and exits. It also exits when idle for sufficiently long ($max_idle, default 100s). > > Since each smtpd(8) process reads the certificates for itself, unless the cert/key rotation is extremely urgent (the current cert is expired and causes problems, i.e. key rotation is already too late) there is no need for a restart. > > And even when the key rotation is urgent "postfix reload" is sufficient, you don't need to restart. This allows existing connections to finish gracefully. But I don't know whether the same is true for dovecot (whether for sasl or imap) - I restart dovecot after cert renewal just in case.
