blog

A few days ago I got a warning from my monitoring system indicating that some certificates for my postfix mail system would expire soon. This caught me a little bit by surprise, since this is a certificate issued and auto-renewed by Let's Encrypt and it has been working flaslessly so far for everyting else.

My current revision of my mail system, which has now been running for a about two months, is the first one to be completely containarized, so I naturally started looking at whether the renewal of certificates outside the container actually makes it into the mounted container's /etc/letsencrypt, if the træfik ingress controller has a hand in this and so on.

After an embarrassingly long time of looking around I learned that the certificates provided to postfix using the tls_server_sni_maps configuration option are actually encoded into the associated lookup table when it's crated using postmap -F hash:sni-table-file – which I should have known from the beginning but didn't – and in that case, the lookup table has to be refreshed once the certificates have changed. I actually tried leaving out the -F parameter, but this only results in a malformed BASE64 value error, so for the time I'll just stick with re-creating the lookup table every few months.