[pfx] Re: server does not pick up new certificates

[Charles Sprickman via Postfix-users]

> On Jul 23, 2023, at 2:29 PM, Viktor Dukhovni via Postfix-users 
> <postfix-users@postfix.org> wrote:
> 
> On Sun, Jul 23, 2023 at 08:18:21PM +0200, lejeczek via Postfix-users wrote:
> 
>>> You need to rebuild it periodically.  Once a week should be enough,
>>> ACME certificates are typically good for 90 days and get replaced
>>> every 60, so when the new one is minted the old one is still good
>>> for 30 days.  But if you're really concerned, you can rebuild the
>>> table daily.
>>> 
>> it is possible with 'postifx' to have a lookup table which 
>> would work as a mere pointer/map, in this case to certs/keys?
> 
> No, that would break with chroot jails, and require the cert/key files
> to be readable by the unprivileged "postfix" ($mail_owner) user, rather
> than just root, weakening the security of the long-term keys.
> 
> Just a cron job once a week or once a day to rebuild the table:
> 
>    postmap -F hash:/etc/postfix/...
> 
> Run it at a hour that is spaced away from when the ACME client runs to
> update certificates, so that you avoid potential issues with atomicity
> of key/cert updates.

In the case of the dehydrated ACME client (
https://github.com/dehydrated-io/dehydrated) there's an option to run a bunch 
of commands on successful update, including something like "postfix reload" - 
one could also insert an email or other command to note the update. I can't 
imagine other ACME clients don't offer a similar function...

Charles

> 
> -- 
>    Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org