On Tue, Mar 29, 2022 at 10:20:09PM +1000, Nikolai Lusan <niko...@lusan.id.au> wrote:
> Hi, > > Just going to say I banged my head against this wall for months on end - > every time I updated certificates (using letsencrypt it's pretty > frequent) postfix showed the new certs as active - but external tests > still showed certs from over a year ago. > > So my solution to the problem is to store all the tls certificate and > key information in one file (in my case vmail_ssl.map) that file gets > mapped with postmap. When new keys or certs get deployed I delete the > vmail_ssl.map.db file, regenerate it with postmap, and then restart > postfix. (I is worth noting that I host multiple domains and use SNI - > so this solution may not be for you.) > > - -- > Nikolai Lusan <niko...@lusan.id.au> Hi, That's wierd. Well done fixing it. Postfix picks up new certificates soon enough (controlled by the max_idle and max_use parameters). Did you have smtpd_tls_chain_files set to an old key/cert, as well as smtpd_tls_cert_file and smtpd_tls_key_file set to the updated ones? Was that the cause? cheers, raf
