2

Whenever I update the SSL cert on the server (Alma Linux) I restart Postfix. I usually do this a few days or a week before the certificate runs out. However mail connections always fail on the day the old certificate expires, at that point I have to restart Postfix a second time.

This happens every time and I have had to do this on at least 5 occasions. Every time simply restarting Postfix solves the problem. The reference to the cert in Postfix is to the Let's encrypt folder and nothing else is done to the Postfix config when renewing the certificate. Below is the config in main.cf:

#SSL

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.net/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

So how can I get Postfix to adopt the new certificate when I install it? Otherwise I have to wait until the e-mail goes down and do a restart, leading to downtime for clients.

7
  • It's somewhat unusual for the same action action to have different outcomes. How are you restarting postfix when the cert renews? Manually? Via a renewal hook? Why are you not using certbot renew?
    – symcbean
    Commented Apr 23 at 14:23
  • Yes just manually both times, an in this case nothing has been done on the server at all since the last restart from and admin / command line perspective.
    – Kline
    Commented Apr 23 at 16:04
  • Very strange. Only reload is normally needed for Postfix to load a new certificate. What is with permissions? Is the user postfix runs under allowed to access the cert/key? Might there be any SELinux-related issues, is something logged? What is logged when you restart postfix for the first time? Have you tried to actually check the certificate after restart, by using openssl s_client? Have you tried to disable SSL session caching? Commented Apr 26 at 17:32
  • This time I did check the SSL cert with openssl and it was definitely present and correct. I can check the logs next time but that will be in a few months. I'm not sure about disabling session caching as this may affect performance, I would have thought the cache would have been emptied if postfix was restarted?
    – Kline
    Commented Apr 27 at 18:24
  • Can you detail how the Let's Encrypt cert update process is set up? One of the key points of LE is that it auto-renews certificates and you don't have to lift a finger.
    – bolind
    Commented Apr 29 at 12:44

1 Answer 1

3
+25

The Certbot always updates the symbolic links in /etc/letsencrypt/live/ to the latest files in /etc/letsencrypt/archive/ when it renews a Let's Encrypt certificate, so this should not happen if Postfix is either reloaded or restarted after the renewal.

However, the reload should also be automated. That is typically done with Certbot's hooks, but your situation might need an alternative approach, where SystemD might become handy.

Certbot's deploy-hook

When Certbot detects that a certificate is due for renewal, --pre-hook and --post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script

You could place a reload script in /etc/letsencrypt/renewal-hooks/deploy/, as the paths in your question suggests this directory structure is in use.

#!/bin/sh
systemctl reload postfix

SystemD Path units

If you do not trust Certbot to run this when the certificate is renewed and usable, you could use SystemD Path units to monitor the /etc/letsencrypt/live/mail.example.com/fullchain.pem and reload Postfix whenever it changes.

  • /etc/systemd/system/mail-certificate-watcher.service:

    [Unit]
    Description=Reload Postfix on mail.example.com certificate changes
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/systemctl reload postfix.service
    
    [Install]
    WantedBy=multi-user.target
    
  • /etc/systemd/system/mail-certificate-watcher.path:

    [Path]
    PathModified=/etc/letsencrypt/live/mail.example.com/fullchain.pem
    
    [Install]
    WantedBy=multi-user.target
    
  • Remember to enable & start it:

    systemctl enable mail-certificate-watcher.path
    systemctl start mail-certificate-watcher.path
    
3
  • I am restarting Postfix (manually) after renewing the certificate though?
    – Kline
    Commented Apr 29 at 16:14
  • Yes, but as the renawal is automatic, reloading the services should be automatic, too. You are in a situation no-one here is able to reproduce. We would need more information on how you renew the certificates, because this should not happen if you use any of the standard methods. Lastly, the second solutions monitors for changes in the files referenced in the configuration file. Therefore, it is a fallback solution that should cover all non-standard renewals which may have caused this. Commented Apr 30 at 12:00
  • I do the renewal manually, I believe I have to because it's a wildcard certificate. So each time I use certbot delete then certbot certonly with all the settings to create a new cert. The thing is Apache and OpenSSL see the new certs immediately after restarting these services. I think even Dovecot sees them as this time I didn't restart Dovecot, just Postfix. It shouldn't matter how Postifx is restarted in this scenario.
    – Kline
    Commented Apr 30 at 14:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .