Whenever I update the SSL cert on the server (Alma Linux) I restart Postfix. I usually do this a few days or a week before the certificate runs out. However mail connections always fail on the day the old certificate expires, at that point I have to restart Postfix a second time.
This happens every time and I have had to do this on at least 5 occasions. Every time simply restarting Postfix solves the problem. The reference to the cert in Postfix is to the Let's encrypt folder and nothing else is done to the Postfix config when renewing the certificate. Below is the config in main.cf:
#SSL
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.net/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
So how can I get Postfix to adopt the new certificate when I install it? Otherwise I have to wait until the e-mail goes down and do a restart, leading to downtime for clients.
openssl s_client
? Have you tried to disable SSL session caching?