> On 31 Mar 2022, at 10:48 am, Nikolai Lusan <niko...@lusan.id.au> wrote:
>
> The process I use to update my certificates uses rsync to overwrite the
> old certs/keys with the new ones. My thought process initially was that
> restarting postfix would have it pick up the new files - eventually by
> inspecting the relevant hash files I found copies of old certs in them
> ... hence rebuilding the hash files on update.
Restarting (as opposed to "postfix reload") is only necessary when:
* Upgrading to a new version of Postfix in which internal protocols changed.
* Changes in inet_interfaces that require master(8) to listen on a different
set of IP addresses for various "inet" services.
Otherwise, you don't need to "restart" Postfix, and a "reload" is less
disruptive.
For non-emergency certificate updates, you might even just let max_use
and max_idle take care of eventually (soon enough) replacing all running
smtpd processes, and avoid the "reload" entirely. Assuming there's nothing
wrong with the old certificate in the short term.
--
Viktor.
