Certificate Replacement

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate Replacement

wa6vvv
I am needing to replace the certificate and key.  Are they read and cached when postfix starts, or are they read during normal mail handling?  In other words, can I replace the files or do I need to do a reload or restart of the service afterwards?

-- Doug

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

Ian R. Bennett
On 2018-04-12 16:25, Doug Hardie wrote:
> I am needing to replace the certificate and key.  Are they read and
> cached when postfix starts, or are they read during normal mail
> handling?  In other words, can I replace the files or do I need to do
> a reload or restart of the service afterwards?

You'll need to restart postfix.

/i.
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

wa6vvv

-- Doug

> On 12 April 2018, at 16:29, Ian R. Bennett <[hidden email]> wrote:
>
> On 2018-04-12 16:25, Doug Hardie wrote:
>> I am needing to replace the certificate and key.  Are they read and
>> cached when postfix starts, or are they read during normal mail
>> handling?  In other words, can I replace the files or do I need to do
>> a reload or restart of the service afterwards?
>
> You'll need to restart postfix.

Thanks.  I suspect then the best approach is to stop the service, replace the certificates, and then start the service again.  That is what I am having to do for dovecot anyway.

-- Doug

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

Viktor Dukhovni
In reply to this post by Ian R. Bennett


> On Apr 12, 2018, at 7:29 PM, Ian R. Bennett <[hidden email]> wrote:
>
>> I am needing to replace the certificate and key.  Are they read and
>> cached when postfix starts, or are they read during normal mail
>> handling?  In other words, can I replace the files or do I need to do
>> a reload or restart of the service afterwards?
>
> You'll need to restart postfix.

That's false.  Each smtpd(8) process handles a limited number of
connections ($max_use, default 100) and exits.  It also exits when
idle for sufficiently long ($max_idle, default 100s).

Since each smtpd(8) process reads the certificates for itself, unless
the cert/key rotation is extremely urgent (the current cert is
expired and causes problems, i.e. key rotation is too already too
late) there no need for a restart.

And even when the key rotation is urgent "postfix reload" is sufficient,
you don't need to restart.  This allows existing connections to finish
gracefully.

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

wa6vvv

> On 12 April 2018, at 16:35, Viktor Dukhovni <[hidden email]> wrote:
>
>
>
>> On Apr 12, 2018, at 7:29 PM, Ian R. Bennett <[hidden email]> wrote:
>>
>>> I am needing to replace the certificate and key.  Are they read and
>>> cached when postfix starts, or are they read during normal mail
>>> handling?  In other words, can I replace the files or do I need to do
>>> a reload or restart of the service afterwards?
>>
>> You'll need to restart postfix.
>
> That's false.  Each smtpd(8) process handles a limited number of
> connections ($max_use, default 100) and exits.  It also exits when
> idle for sufficiently long ($max_idle, default 100s).
>
> Since each smtpd(8) process reads the certificates for itself, unless
> the cert/key rotation is extremely urgent (the current cert is
> expired and causes problems, i.e. key rotation is too already too
> late) there no need for a restart.
>
> And even when the key rotation is urgent "postfix reload" is sufficient,
> you don't need to restart.  This allows existing connections to finish
> gracefully.

That is even better.  Thanks for the correction. Since the replacement is not time critical, the old certificates will have a few days validity remaining.  One of those limits will certainly be reached by then.

-- Doug

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

Ian R. Bennett
In reply to this post by Viktor Dukhovni
* Viktor Dukhovni (aka [hidden email]) used 1.0K on Thu, 12 Apr 2018 at 19:35 -0400 to say:

> >
> > You'll need to restart postfix.
>
> That's false.  Each smtpd(8) process handles a limited number of
> connections ($max_use, default 100) and exits.  It also exits when
> idle for sufficiently long ($max_idle, default 100s).
>
> Since each smtpd(8) process reads the certificates for itself, unless
> the cert/key rotation is extremely urgent (the current cert is
> expired and causes problems, i.e. key rotation is too already too
> late) there no need for a restart.
Well that's cool. Time to update my letsencrypt scripts then.

/i.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

Philip Paeps
In reply to this post by wa6vvv
On 2018-04-12 16:25:21 (-0700), Doug Hardie wrote:
>I am needing to replace the certificate and key.  Are they read and
>cached when postfix starts, or are they read during normal mail
>handling?  In other words, can I replace the files or do I need to do a
>reload or restart of the service afterwards?

As pointed out, you don't need to restart (and usually don't even need
to reload) Postfix for the new keys and certificates to take effect.

However: do keep in mind that if you're using DANE and you're replacing
the keys, you need to allow enough time for the keys to roll over in the
DNS.

Unless you have a real need to change replace the keys (e.g. compromise,
policy), it may be easier to simply reissue the certificate without
generating new keys.  In that case, you can use "3 1 1" TLSA records in
the DNS and you don't need to roll them when you're simply reissuing
your certificates.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Replacement

Viktor Dukhovni


> On Apr 12, 2018, at 11:21 PM, Philip Paeps <[hidden email]> wrote:
>
> As pointed out, you don't need to restart (and usually don't even need to reload) Postfix for the new keys and certificates to take effect.
>
> However: do keep in mind that if you're using DANE and you're replacing the keys, you need to allow enough time for the keys to roll over in the DNS.
>
> Unless you have a real need to change replace the keys (e.g. compromise, policy), it may be easier to simply reissue the certificate without generating new keys.  In that case, you can use "3 1 1" TLSA records in the DNS and you don't need to roll them when you're simply reissuing your certificates.

For mistakes to avoid and the latest best practice key rotation approaches for DANE see:

   https://dane.sys4.de/common_mistakes
   http://imrryr.org/~viktor/ICANN61-viktor.pdf
   http://imrryr.org/~viktor/icann61-viktor.mp3

The original timing considerations are described in:

   http://tools.ietf.org/html/rfc7671#section-8.1
   http://tools.ietf.org/html/rfc7671#section-8.4

but the ideas in the ICANN61 slides incorporate more recent insights.

--
        Viktor.