On Wed, 13 Sep 2017, Luigi Rosa wrote:
> Robert Wolf wrote on 13/09/2017 10:26:
>
> > are you sure? What is the refresh time? Instantly or with some delay? Have
> > you
> > tested what happens if I install new key, but I delay installing correct
> > certificate? Does postfix keep the old key+cert
Robert Wolf wrote on 13/09/2017 10:26:
are you sure? What is the refresh time? Instantly or with some delay? Have you
tested what happens if I install new key, but I delay installing correct
certificate? Does postfix keep the old key+cert or stop using any cert because
the new key is not correct
On Tue, 12 Sep 2017, Daniel Miller wrote:
> And remove that "postfix reload" command - Postfix doesn't require explicit
> reloading. It'll pickup the changed cert automagically.
>
> Daniel
Hoi Daniel,
are you sure? What is the refresh time? Instantly or with some delay? Have you
tested what h
On 13/09/2017 05:31, Joseph Tam wrote:
On Tue, 12 Sep 2017, dovecot-request wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --qu
On Tue, 12 Sep 2017, dovecot-requ...@dovecot.org wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "
And remove that "postfix reload" command - Postfix doesn't require
explicit reloading. It'll pickup the changed cert automagically.
Daniel
On 9/12/2017 9:26 AM, Daniel Miller wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook runnin
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
/usr/local/sbin/dovecot reload
writes:
"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.
Won't work, of course, if you
On Friday 08 of September 2017, Ralph Seichter wrote:
> On 08.09.2017 16:20, LuKreme wrote:
> > However, it seems like checking the certs is something that dovecot
> > should be doing on its own.
>
> What is Dovecot supposed to do? Keep track of the certificate expiry
> date?
That was already d
Oh, also I removed the '2>1> /dev/null' from the acme.sh crontab entry so that
it will always send an email; and entered this in sieve:
# --- let's encrypt ---
if header :contains "subject" "acme.sh" {
if body :regex "Error[[:space:]]+renew" {
# redirect :copy "b...@example.com";
If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
--keypath /etc/pki/dovecot/private/imap.example.com.pem \
--certpath /etc/pki/dovecot/certs/imap.example.com.crt \
--fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
--reloadcmd "systemctl
"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.
The manual: https://certbot.eff.org/docs/us
On 08 Sep 2017, at 12:21, Ralph Seichter wrote:
> On 08.09.2017 19:51, @lbutlr wrote:
>> How I would do it is IF the certificate is expired, the dovecot should
>> check if there is a new cert and if so, load it.
> New cert as in file modification date or checksum changed?
Either one, but checksu
On 08.09.2017 19:51, @lbutlr wrote:
> How I would do it is IF the certificate is expired, the dovecot should
> check if there is a new cert and if so, load it.
New cert as in file modification date or checksum changed? Might work.
Still, from what I seem to remember, Dovecot loads certificate dat
On 08 Sep 2017, at 10:08, Ralph Seichter wrote:
> What is Dovecot supposed to do? Keep track of the certificate expiry
> date? And if that is passed, then what? Automatically shutdown/restart?
> What if the certificate has not been updated in between? I think that
> handling certificates is better
On 08 Sep 2017, at 09:28, Вадим Бажов wrote:
> "I think it’s probably easier to just kick dovecot once a month." -
> that's not good from system administration's point of view. You can
> get into trouble when certificate is renewed but dovecot isn't
> reloaded yet.
That's simply not possible. The
On 08.09.2017 16:20, LuKreme wrote:
> That is a great solution, but I think it’s probably easier to just
> kick dovecot once a month.
Certbot hooks are very easy to write, and are only executed when the
certificate is updated. In that light, I can see no advantage in "kick
dovecot once a month".
"I think it’s probably easier to just kick dovecot once a month." -
that's not good from system administration's point of view. You can
get into trouble when certificate is renewed but dovecot isn't
reloaded yet. And, doing something via cron just by-guess, once a
month - is a no no logic.
"it seem
On Sep 8, 2017, at 07:56, Darac Marjal wrote:
> #!/bin/bash
>
>set -e
>set -u
>set -o pipefail
>
>if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
>echo " + Hook: Restarting Dovecot..."
>/usr/sbin/service dovecot restart
>fi
>
>
On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:
So this morning at 4am I was awoken to my mail clients getting certificate
errors for an expired certificate.
I hopped on to the server and checked and… no, the LE certs renewed last month
and are valid until November.
After some moment
On 08-09-2017 09:47, @lbutlr wrote:
> Should dovecot check for certs being refreshed? Or is this an artifact of my
> using symbolic links everywhere to point to the newest LE certs (which are
> themselves links the dehydrate script creates to point to the newest
> cert-1502534746.csr etc files?
Dovecot seems to load certificates into memory and don't refresh them
until restart, or may be reload. And this is a correct logic. You
better add restart/reload task to the LE cron job after the successful
renewal of LE certificate.
Check that it really works as it should.
Dovecot shouldn't be res
22 matches
Mail list logo
