On 11 September 2017 at 17:22, Dominic Raferd <domi...@timedicer.co.uk> wrote:
> On 11/09/2017 12:33, Christian Kivalo wrote: > >> On 2017-09-11 11:21, Dominic Raferd wrote: >> >>> Does anyone know a way to detect if the certificate currently being >>> used by Postfix and/or Dovecot is nearing expiry (esp. in case they >>> haven't picked up the updated letsencrypt certificate)? >>> >> ... >> >> >> This example gives exit code 1 if the certificate has less than 3 days > (259200 seconds) to expiry: > > > echo|sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp > -servername my.domain.tld 2>/dev/null|openssl x509 -noout -checkend 259200 > As postfix SMTP server does not support SNI I think there is no point using -servername option above, so the above can be shortened to: echo | sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp 2>/dev/null | openssl x509 -noout -checkend 259200 If checking a remote server, substitute 127.0.0.1 with the remote address. I'm still unclear whether the test is against the certificate data that is held within postfix or that is held within the SASL application (dovecot or cyrus).
