On Sun, Jul 23, 2023 at 09:39:52AM +0200, lejeczek via Postfix-users wrote:
> > What is "snis.map", and how is it used in your configuration?
>
> tls_server_sni_maps = hash:/etc/postfix/snis.map
And when did you run as root:
# postmap -F hash:/etc/postfix/snis.map
to update that table?
* It must be rebuilt every time the on-disk certificate chain files
change. The "postmapped" table holds copies of file content, not
the paths.
> > What evidence of failing to "pick up" new settings did you collect?
>
> clients complaining/warning about expired certificates, validated with
> other tools, certs/files were not the current ones.
You probably did not run "postmap -F ..."
> > Only master(8) persists across reload, all the other services restart
> > shortly after.
> >
> -> $ postfix reload # did not work, new certs/files where
> only picked up with "full" restart, with "systemd" in this case.
Does the systemd script have code to rebuild that table?
> and when done, then server-postifx supplied new certs
> immediately - clients where happy.
You need to rebuild it periodically. Once a week should be enough,
ACME certificates are typically good for 90 days and get replaced
every 60, so when the new one is minted the old one is still good
for 30 days. But if you're really concerned, you can rebuild the
table daily.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
