Re: Letsencrypt tip

On 13 September 2017 at 19:54, Viktor Dukhovni wrote: > > > On Sep 13, 2017, at 4:10 AM, Dominic Raferd > wrote: > > > > As Postfix SMTP server does not support SNI I think there is no point > using > > -servername option above, so the above

Re: Letsencrypt tip

> On Sep 13, 2017, at 4:10 AM, Dominic Raferd wrote: > > As Postfix SMTP server does not support SNI I think there is no point using > -servername option above, so the above can be shortened to: > > ​echo | > sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp

Re: Letsencrypt tip

On 11 September 2017 at 17:22, Dominic Raferd wrote: > On 11/09/2017 12:33, Christian Kivalo wrote: > >> On 2017-09-11 11:21, Dominic Raferd wrote: >> >>> ​Does anyone know a way to detect if the certificate currently being >>> used by Postfix and/or Dovecot is nearing

Re: Letsencrypt tip

> On Sep 11, 2017, at 1:37 PM, Bill Shirley wrote: > > Thanks for the info. > > With acme.sh, reloads are only done when the certificate is renewed. It is best to just leave Postfix alone, and not reload even then. If you run certbot often enough to renew well in

Re: Letsencrypt tip

Thanks for the info. With acme.sh, reloads are only done when the certificate is renewed. Bill On 9/11/2017 1:18 PM, Viktor Dukhovni wrote: On Sep 11, 2017, at 1:10 PM, Bill Shirley wrote: acme.sh can issue the reload command (--reloadcmd):

Re: Letsencrypt tip

> On Sep 11, 2017, at 1:10 PM, Bill Shirley wrote: > > acme.sh can issue the reload command (--reloadcmd): > https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html This is NOT needed for Postfix. The certificate file is not held in memory for a

Re: Letsencrypt tip

acme.sh can issue the reload command (--reloadcmd): https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html Get an email from acme.sh: https://www.mail-archive.com/dovecot@dovecot.org/msg70895.html Bill On 9/11/2017 4:59 AM, Gary wrote: As you know, letsencrypt certs can be

Re: Letsencrypt tip

Real-world example (ugly but works): letsencrypt -tn --apache renew | tee "$LOG_FILE" if ! grep -q '^No renewals were attempted.$' "$LOG_FILE"; then CERTIFICATES_PATH='/etc/letsencrypt/live/example.com' RENEWAL_STATUS=`sed -nr 's#^ '"$CERTIFICATES_PATH"'/fullchain.pem \((.*)\)$#\1#p'

Re: Letsencrypt tip

On 9/11/2017 5:21 AM, Dominic Raferd wrote: > > > On 11 September 2017 at 11:59, Gary > wrote: > > As you know, letsencrypt certs can be automatically updated. > However, you need to reload/restart Postfix/Dovecot to use the new >

Re: Letsencrypt tip

> On Sep 11, 2017, at 4:59 AM, Gary wrote: > > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. This is false for Postfix. The Postfix SMTP server processes (smtpd(8) and tlsproxy(8))

Re: Letsencrypt tip

On 11/09/2017 12:33, Christian Kivalo wrote: On 2017-09-11 11:21, Dominic Raferd wrote: ​Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)? You mean like

Re: Letsencrypt tip

On 11.09.2017 10:59, Gary wrote: As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting

Re: Letsencrypt tip

On 11.09.2017 11:21, Dominic Raferd wrote: > ​Does anyone know a way to detect if the certificate currently being > used by Postfix and/or Dovecot is nearing expiry (esp. in case they > haven't picked up the updated letsencrypt certificate)? See https://www.monitoring-plugins.org/ -- The plugins

Re: Letsencrypt tip

> Gary kirjoitti 11.09.2017 kello 11:59: > > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. My email client > insisted I had an expired cert. I couldn't download or send email. >

Re: Letsencrypt tip

On 2017-09-11 11:21, Dominic Raferd wrote: ​Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)? You mean like this from the letsencrypt forum adapted

Re: Letsencrypt tip

On 11 September 2017 at 11:59, Gary wrote: > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. My email client > insisted I had an expired cert. I couldn't download or send email. >

Re: Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

...@molgen.mpg.de Sent: September 11, 2017 2:06 AM To: li...@lazygranch.com Cc: postfix-users@postfix.org Subject: Change of SMTP encryption policy at Google? (was: Letsencrypt tip) Dear Gary, On 09/11/17 10:59, Gary wrote: […] > (Fortunately I'm on a test domain, getting ready for the Oct

Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

Dear Gary, On 09/11/17 10:59, Gary wrote: […] (Fortunately I'm on a test domain, getting ready for the Oct 1st Google > insistence on encryption.) Could you please point me to the relevant announcement about that policy change? […] Kind regards, Paul

Letsencrypt tip

As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google