dovecot - Jul 2006 - rc1: Questions about ssl-build-param!!??

Timo,

My setup: Solaris 9, 1.0rc1, built like so:

CC=gcc CFLAGS="-g -O" CPPFLAGS=-I/opt/openssl/include \
LDFLAGS=-L/opt/openssl/lib ./configure --prefix=/opt/dovecot.1.0rc1 \
         --with-ssl=openssl --with-ssldir=/opt/openssl/ssl \
         --with-sql-drivers=no --disable-ipv6

using gcc 4.1.0.  Protocols are imap and imaps.

My system paniced and crashed in the middle of the night, and
after it came up the ssl-parameters.dat file was messed
up.
>From syslog:
child 1965 (login) returned error 89
imap-login: Can't open SSL parameter file ssl-parameters.dat: Permission
denied

Nobody was getting their email via imap.  So I removed the directories
/opt/dovecot/var and /var/run/dovecot to get dovecot to rebuild the
ssl-parameters.dat file.  Questions:

1) Why on Earth does ssl-build-param take so long??!!  (> 12 minutes on
my E220R)  What is it doing?  How to speed this process up, and/or tune it?

2) Where does ssl-parameters.dat get written to?  I found one copy in 
the /opt/dovecot/var/lib/dovecot directory, and one copy in 
/var/run/dovecot/login.  Which copy gets used?

3) What are the permissions supposed to be for ssl-parameters.dat?  The
copy in /var/run was chown root:other and chmod 640.  I could not get rid
of the syslog "permission denied" until I made it chmod 644.

4) Likewise the directories /opt/dovecot/var and below get created
chown root:other and chmod 750, with ssl-parameters.dat chmod 640.
What should these perms be?

Jeff Earickson
Colby College

On Sun, 2006-07-02 at 13:05 -0400, Jeff A. Earickson
wrote:
> imap-login: Can't open SSL parameter file ssl-parameters.dat:
Permission denied
> 
> Nobody was getting their email via imap.  So I removed the directories
> /opt/dovecot/var and /var/run/dovecot to get dovecot to rebuild the
> ssl-parameters.dat file.  Questions:
Yea, this was a problem if directories are in different filesystems..
> 1) Why on Earth does ssl-build-param take so long??!!  (> 12 minutes on
> my E220R)  What is it doing?  How to speed this process up, and/or tune it?
It does. :) But once it's created, it's by default updated only once a
week. You can also disable updating it completely.
> 2) Where does ssl-parameters.dat get written to?  I found one copy in 
> the /opt/dovecot/var/lib/dovecot directory, and one copy in 
> /var/run/dovecot/login.  Which copy gets used?
Because some systems delete everything in /var/run at startup, I changed
1.0rc1 to write it first into /opt/dovecot/var/lib/dovecot and copy it
from there to /var/run.
> 3) What are the permissions supposed to be for ssl-parameters.dat?  The
> copy in /var/run was chown root:other and chmod 640.  I could not get rid
> of the syslog "permission denied" until I made it chmod 644.
644 is fine. This copying is fixed in CVS.
> 4) Likewise the directories /opt/dovecot/var and below get created
> chown root:other and chmod 750, with ssl-parameters.dat chmod 640.
> What should these perms be?
Isn't it created with 644 in /opt/dovecot/var? It should be, and is with
me..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060702/94c4aab5/attachment.bin>