Re: Renewing certificates

2017-12-27 Thread Joseph Tam 

Kenneth Porter  writes:


Thanks. Some digging indicates that this is equivalent to doveadm reload.
Both paths ultimately send a SIGHUP to the server which initiates a full
reload of the configuration.

I'll be combining this with a restart of sendmail. Alas, I don't see a way
to get it to reload its configuration.


Should be the same way: send a SIGHUP signal to the parent process.


http://etutorials.org/Server+Administration/Sendmail/Part+II+Administration/Chapter+14.+Signals+Transactions+and+Syslog/SIGHUP/

I'm not sure whether this will cause the sendmail worker processes to dump
their cients, but if it did, SMTP is fault tolerant enough that delivery
should be retried later.

Joseph Tam

Re: Renewing certificates

2017-12-27 Thread Kenneth Porter 
--On Wednesday, December 27, 2017 9:24 AM -0500 Bill Shirley 
 wrote:



 --reloadcmd "systemctl reload dovecot.service"
Notice the --reloadcmd.


Thanks. Some digging indicates that this is equivalent to doveadm reload. 
Both paths ultimately send a SIGHUP to the server which initiates a full 
reload of the configuration.


I'll be combining this with a restart of sendmail. Alas, I don't see a way 
to get it to reload its configuration.

Re: Renewing certificates

2017-12-27 Thread Bill Shirley 

I'm using acme.sh to get my Let's Encrypt certificates.  The install command is:
acme.sh --installcert -d imap.example.com \
    --keypath /etc/pki/dovecot/private/imap.example.com.pem \
    --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
    --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
    --reloadcmd "systemctl reload dovecot.service"
Notice the --reloadcmd.

Bill

On 12/26/2017 6:16 PM, Aki Tuomi wrote:

On December 26, 2017 at 11:42 PM Kenneth Porter  wrote:


I'm setting up certbot/letsencrypt to provide a certificate for dovecot and
sendmail. Is it necessary to restart dovecot to load the new certificate,
as shown in most examples I find in blogs? That seems rude to established
connections. When does dovecot read the cert and key files? Once at startup
or each time a connection requests SSL? Is there a preferred locking
protocol when changing the two files to keep dovecot from reading one while
the other is being replaced and getting a mismatched pair?

doveadm reload should be enough.

Aki

Re: Renewing certificates

2017-12-26 Thread Aki Tuomi 

> On December 26, 2017 at 11:42 PM Kenneth Porter  wrote:
> 
> 
> I'm setting up certbot/letsencrypt to provide a certificate for dovecot and 
> sendmail. Is it necessary to restart dovecot to load the new certificate, 
> as shown in most examples I find in blogs? That seems rude to established 
> connections. When does dovecot read the cert and key files? Once at startup 
> or each time a connection requests SSL? Is there a preferred locking 
> protocol when changing the two files to keep dovecot from reading one while 
> the other is being replaced and getting a mismatched pair?

doveadm reload should be enough.

Aki

Renewing certificates

2017-12-26 Thread Kenneth Porter 
I'm setting up certbot/letsencrypt to provide a certificate for dovecot and 
sendmail. Is it necessary to restart dovecot to load the new certificate, 
as shown in most examples I find in blogs? That seems rude to established 
connections. When does dovecot read the cert and key files? Once at startup 
or each time a connection requests SSL? Is there a preferred locking 
protocol when changing the two files to keep dovecot from reading one while 
the other is being replaced and getting a mismatched pair?