Alexander good afternoon. Thank you. I have spent the day learning
about AppArmor:
? I've reviewed your link, found /etc/apparmor.d/ and its local/ directory.
? I ran aa-logprof?and it found the change in stat?to old-stat?
that is discussed in the upgrade documentation. So I Allow (A)?that.
There are no other reports.
? I followed the discussion on using yast to manage the
profiles. I'm on ssh?to the server so do not have the GUI yast, only
the ncurses version and it does not contain editing, only adding,
profiles.
I tried creating a profile for imap-login?with that method and
scanned for any issues, there were none reported, but still cannot log
in.
? I followed the local/README to explicitly add
/etc/certbot/live/privustech.com/* r,
to /etc/apparmor.d/local/usr.lib.dovecot.imap-login?but still
cannot login with either the mail client or with explicit openssl: it
complains
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:794:
I check yast2 sw_single for the dovecot installation. Indeed
the module dovecot23-xxx where xxx?is anything that looks like
"clnt"?(
client?) does not exist. Is there a missing module in my installation?
It lists only
dovecot
dovecot23
dovecot23-backend-mysql
dovecot23-backend-pgsql
dovecot23-backend-sqlite
dovecot23-fts
dovecot23-fts-squat
I'll pursue this further.
Thank? you again.
Kind regards, Andy
On Fri, 2018-12-14 at 23:44 +0100, Alexander Dalloz
wrote:> Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre:
> >
> > Thanks for the input. I've checked out your suggestions (details
> > below)
> > but unfortunately no joy.
> > I also restored my backup 10-ssl.conf. It indeed has the
"<" sign
> > with
> > a space before the explicit paths to the files:
> > ?? ? ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem
> > ?? ? ssl_key = </etc/certbot/live/privustech.com/privkey.pem
> Hi,
>
> the syntax you see in the documentation is mandatory. Your issue is?
> really a permissions problem.
>
> Check your AppArmor setup. The path you use for storing the chained?
> certificate and the private key is certainly not known to AppArmor.
> See?
> your /var/log/audit/audit.log for indications.
>
> https://doc.opensuse.org/documentation/leap/security/html/book.securi
> ty/cha.apparmor.managing.html
>
> may help.
>
> Btw. permissions setting to 0777, especially for the cert and key,
> is?
> awful, even for debugging issues.
>
> Alexander
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181215/024dc444/attachment-0001.html>