On Sun, Jul 23, 2023 at 08:18:21PM +0200, lejeczek via Postfix-users wrote:
> > You need to rebuild it periodically. Once a week should be enough,
> > ACME certificates are typically good for 90 days and get replaced
> > every 60, so when the new one is minted the old one is still good
> > for 30 days. But if you're really concerned, you can rebuild the
> > table daily.
> >
> it is possible with 'postifx' to have a lookup table which
> would work as a mere pointer/map, in this case to certs/keys?
No, that would break with chroot jails, and require the cert/key files
to be readable by the unprivileged "postfix" ($mail_owner) user, rather
than just root, weakening the security of the long-term keys.
Just a cron job once a week or once a day to rebuild the table:
postmap -F hash:/etc/postfix/...
Run it at a hour that is spaced away from when the ACME client runs to
update certificates, so that you avoid potential issues with atomicity
of key/cert updates.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
