Renewal of Let's encrypt certs being used in postfix

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Renewal of Let's encrypt certs being used in postfix

Ignacio Garcia
Hi there. We just started using let's encrypt certs in our mail servers. Since renewal of the certs is done automatically, will postfix cope well with that or will we have to restart it after the renewal takes place?

Thanks so much in advance for your help! 

Ignacio
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

Dominic Raferd
On Thu, 11 Oct 2018 at 09:08, Ignacio Garcia <[hidden email]> wrote:
Hi there. We just started using let's encrypt certs in our mail servers. Since renewal of the certs is done automatically, will postfix cope well with that or will we have to restart it after the renewal takes place?

Viktor answered this one here a little while ago:
> Each smtpd(8) process handles a limited number of connections ($max_use, default 100) and exits.  It also exits when idle for sufficiently long ($max_idle, default 100s).
>
> Since each smtpd(8) process reads the certificates for itself, unless the cert/key rotation is extremely urgent (the current cert is expired and causes problems, i.e. key rotation is already too late) there is no need for a restart.
>
> And even when the key rotation is urgent "postfix reload" is sufficient, you don't need to restart.  This allows existing connections to finish gracefully.

But I don't know whether the same is true for dovecot (whether for sasl or imap) - I restart dovecot after cert renewal just in case.
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

Olivier Nicole-2
In reply to this post by Ignacio Garcia
Hello,

> We just started using let's encrypt certs in our mail servers. Since renewal of the certs is
> done automatically, will postfix cope well with that or will we have to restart it after the renewal
> takes place?

I do restart postfix. In fact, I do reboot the mail server as other
pieces of software are affected (imap).

A general reboot every 3 months is not that bad.

Bestregards,

Olivier
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

Matus UHLAR - fantomas
>> We just started using let's encrypt certs in our mail servers. Since renewal of the certs is
>> done automatically, will postfix cope well with that or will we have to restart it after the renewal
>> takes place?

On 11.10.18 15:14, Olivier wrote:
>I do restart postfix. In fact, I do reboot the mail server as other
>pieces of software are affected (imap).

I only do reload for apache, proftpd, courier etc and only restart services
that can't handle reload. I don't restart unless really needed.

>A general reboot every 3 months is not that bad.

only if a kernel is to be replaced. I don't see readon to reboot servers
periodically.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

Ignacio Garcia
In reply to this post by Dominic Raferd
Sorry I could not read that message posted by Viktor. Probably I was not subscribed yet. Nevertheless, thanks for your answers.

El jue., 11 oct. 2018 a las 10:14, Dominic Raferd (<[hidden email]>) escribió:
On Thu, 11 Oct 2018 at 09:08, Ignacio Garcia <[hidden email]> wrote:
Hi there. We just started using let's encrypt certs in our mail servers. Since renewal of the certs is done automatically, will postfix cope well with that or will we have to restart it after the renewal takes place?

Viktor answered this one here a little while ago:
> Each smtpd(8) process handles a limited number of connections ($max_use, default 100) and exits.  It also exits when idle for sufficiently long ($max_idle, default 100s).
>
> Since each smtpd(8) process reads the certificates for itself, unless the cert/key rotation is extremely urgent (the current cert is expired and causes problems, i.e. key rotation is already too late) there is no need for a restart.
>
> And even when the key rotation is urgent "postfix reload" is sufficient, you don't need to restart.  This allows existing connections to finish gracefully.

But I don't know whether the same is true for dovecot (whether for sasl or imap) - I restart dovecot after cert renewal just in case.
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

Ralph Seichter
On 11.10.18 11:01, Ignacio Garcia wrote:

> Sorry I could not read that message posted by Viktor. Probably I was
> not subscribed yet.

The Postfix mailing list archives (http://www.postfix.org/lists.html)
are a treasure trove of information.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Renewal of Let's encrypt certs being used in postfix

C. Petro
In reply to this post by Matus UHLAR - fantomas
 I don't see readon to reboot servers periodically.

I have 2 reasons, neither having anything to do with postfix: 

1) If you are using a filesystem type that wants to be checked every 180+ days, you will want to do a controlled reboot when YOU want your server offline for a while, not when Thor, God of Storms and Lighting, or Loki, god of Chaos decides. They have enough say anyway. 
2) Some administrators see a big uptime and start to defer patches unless "really necessary" because they want to win uptime wars. 

Both of these can be mitigated by a policy of "no more than 182 days uptime" 



On Thu, Oct 11, 2018 at 2:23 AM Matus UHLAR - fantomas <[hidden email]> wrote:
>> We just started using let's encrypt certs in our mail servers. Since renewal of the certs is
>> done automatically, will postfix cope well with that or will we have to restart it after the renewal
>> takes place?

On 11.10.18 15:14, Olivier wrote:
>I do restart postfix. In fact, I do reboot the mail server as other
>pieces of software are affected (imap).

I only do reload for apache, proftpd, courier etc and only restart services
that can't handle reload. I don't restart unless really needed.

>A general reboot every 3 months is not that bad.

only if a kernel is to be replaced. I don't see readon to reboot servers
periodically.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95