0

I have been unable to find any documentation on how to force Dovecot to reread a certificate when its updated.

At the moment I'm doing

 /bin/systemctl restart dovecot

Does anyone know if this causes an outage during the restart, or if dovecot cleanly terminates old sessions and allows new ones to launch with the new config? Can anyone advise the best practice for forcing dovecot to reload its SSL certificate with minimal impact?

davidgo
  • 6,222
  • 3
  • 23
  • 41

2 Answers2

5

If you're using letsencrypt, you can add a deploy hook to do this automatically when certbot renews your certs. Deploy hooks live in:

/etc/letsencrypt/renewal-hooks/deploy/

Create a file (name doesn't matter - I named mine reload-dovecot) with the following contents:

#!/bin/sh
do
if [ "$domain" = mail.example.com ]
then
systemctl reload dovecot
fi
done

Replace mail.example.com with the actual name of your mail server. Make sure the file is set to be executable.

You may want to create a similar script to reload postfix.

Answer for dovecot taken from here: https://www.xhalford.com/using-hook-scripts-with-certbot/#:~:text=Luckily%2C%20Certbot%20comes%20with%20the,renewal%2Dhooks%2Fdeploy%2F%20.

You can also use certbot itself to create the hooks:

sudo certbot renew --force-renewal --deploy-hook "postfix reload; service dovecot reload"

See thread here: https://community.letsencrypt.org/t/certbot-dovecot-postfix-certificate-renewal-issue/72226/11

Note: the example in the thread uses service postfix reload - this didn't work for me on Ubuntu 20.x.

z0lo
  • 151
  • 1
  • 4
  • In your example script it shouldn't be `$domain`, but `$RENEWED_LINEAGE` or `$RENEWED_DOMAINS`. As mentioned in the [certbot docs](https://eff-certbot.readthedocs.io/en/stable/using.html) – archygriswald Jan 15 '23 at 21:50
3

Just reload it instead. There is no reason to restart and interrupt everyone's service.

systemctl reload dovecot
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972