On 2018-04-12 16:25:21 (-0700), Doug Hardie wrote:
I am needing to replace the certificate and key. Are they read and cached when postfix starts, or are they read during normal mail handling? In other words, can I replace the files or do I need to do a reload or restart of the service afterwards?
As pointed out, you don't need to restart (and usually don't even need to reload) Postfix for the new keys and certificates to take effect.
However: do keep in mind that if you're using DANE and you're replacing the keys, you need to allow enough time for the keys to roll over in the DNS.
Unless you have a real need to change replace the keys (e.g. compromise, policy), it may be easier to simply reissue the certificate without generating new keys. In that case, you can use "3 1 1" TLSA records in the DNS and you don't need to roll them when you're simply reissuing your certificates.
Philip -- Philip Paeps Senior Reality Engineer Ministry of Information
