-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Just going to say I banged my head against this wall for months on end - every time I updated certificates (using letsencrypt it's pretty frequent) postfix showed the new certs as active - but external tests still showed certs from over a year ago. On Mon, 2022-03-28 at 15:23 +1100, raf wrote: > I just tried this (debian-11, postfix-3.5.6) > and was surprised by the effect: > > postfix tls new-server-key > postfix tls deploy-server-cert /etc/postfix/cert-20220328-033631.pem > /etc/postfix/key-20220328-033631.pem > > The main.cf file originally contained: > > smtpd_tls_chain_files = > /etc/postfix/smtpd.key > /etc/postfix/smtpd.cert > > The deploy-server-cert subcommand appended the following: > > smtpd_tls_cert_file = /etc/postfix/cert-20220328-033631.pem > smtpd_tls_key_file = /etc/postfix/key-20220328-033631.pem > > I expected it to notice that smtpd_tls_chain_files was set, > and instead of changing main.cf, just output what I need to > change. So my solution to the problem is to store all the tls certificate and key information in one file (in my case vmail_ssl.map) that file gets mapped with postmap. When new keys or certs get deployed I delete the vmail_ssl.map.db file, regenerate it with postmap, and then restart postfix. (I is worth noting that I host multiple domains and use SNI - so this solution may not be for you.) - -- Nikolai Lusan <niko...@lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAmJC+XkACgkQ4ZaDRV2V L6QxOQ//WEJZl4xAnNux29PLIs/oSm8g7qQxb44Hmjpqc0r2WbMegl7T8WKdJFBw g7S9gEEiFTR7tTgGxBJYIZaq/Cyq8Sc57mzmLg5VtK/OLyFL3cwJzf2hiA11SLkQ 90PdwBO6PHaqf7tLxNzih9c99U86vWMKBFGuP/XyZ3G+cAKeIsNADp25RTbKkmFk h3o+hGWiX9omORXLsPkX4tUHhP87rE5CCokDMkmueRTDgMK/YJzctOiSgFlVOhWv GLwS2SViDaxakiq4G1vNoQlQXxCsVuNm6EKmbCdeJdY1UFoDxAaHdiU9PL14BDSS ZxKFQ4F2Cj24uLSpXIeItzDBgXICigUHLI3Ex0bnqyczgBon/5PKS+/nqIoKEqAu tspDcG2raOu6ZDAycOvSxMR7RdCwRg/RGx1E35vjCByboWJzOyY1aVlif3zoFkUL vppZQkaKAlVb5Ne6wH0iSGPR0H/OOx4k3AKonQtLTKOXhubKTbohIicnuTZiiRWK NTurgc+VlFY8OfWXL1dUTu7FUEzEwMLj8zfXqMjSapWMwO7sFO7YU9HQKprM+erw XehEdUAVz09U6hbl4uwB3bi1mg9MF6KKLcOiPiYcehr0DGBZbldqmANuD3rYAVEk k2+Xorng0FIGyzfjdDwFo2uQkbC6k7FdAFjXXRUFbl7Cd696HOY= =m7ot -----END PGP SIGNATURE-----
