On 1/9/22 05:33, Rodolphe Bréard wrote: > You have to restart it. > > In fact, I don't know any server that watches those files in order to > reload them. As far as I know, most servers starts as root, loads the > private key and the certificate into memory, then switch to an > unprivileged user which cannot read those files. Such a workflow doesn't > allow the feature you are asking for unless your certificate and key > file are wildly accessible, which is so obviously insecure that some > servers (OpenSMTPD is one of them) will refuse to start.
OpenSMTPD could actually implement this feature, since the parent process runs as root and can access the secret key. It could then send the key to the correct child process via an imsg. An alternative would be for smtpctl to support sending the secret key and certificate via the control socket. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature