Hi List, Im new to postfix-dovecot and im mystified by the following results in ubuntu 10.04lts :~$ dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key Why is dovecot happily delivering mail to local accounts ( thats all i use atm) without being able to access the ssl key, and how can i fix this problem so i can run dovecot -n successfully. i have tried 'chown dovecot' etc but there was no change in dovecot -n output. Any and all help is appreciated. Phil
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Feb 2014, Phil wrote:> Im new to postfix-dovecotand Unix/Linux, too?> and im mystified by the following results in ubuntu > 10.04lts > > :~$ dovecot -n > # 1.2.9: /etc/dovecot/dovecot.conf > Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission > denied > Fatal: Invalid configuration in /etc/dovecot/dovecot.conf > > ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key > lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> > /etc/ssl/private/ssl-cert-snakeoil.keyYou show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it. For instance, Debian uses the perms for the private dir: drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUvM4j3D1/YhP6VMHAQI+Lwf+Omv0MmhRC1Cu/bddxt1rbubrlWEV1s9u PjqHWj09scGsdZnPASq6ZpTr2LrQXOoGDFrZou3D8vQ1tz3urXBB+jcXJKCJVKQb Ig8bt/IXXDRhMj2PANGkRMGg/y2kD/xnokqUv49ixrLTwoTh4JtE9p4AQY+CDuYD bJJnyuMVHIsTPQ/VupTM7wneGlJ6HoDMF66JtyOeL1Y9X9YObhOvxSOPONfIhkKW bDtYsuFi7nFdNUNObnYUXgxgihwwtzFVP0B/wRfM7j8G6cPNVA3jJ231rh8YfI/v I1qIowj0/IeQPE7h+CuFB4a5+iqL8dT+vaoPxUbKROv44KFsrOlH5g==jr4s -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Feb 2014, Phil wrote:> Im new to postfix-dovecotand Unix/Linux, too?> and im mystified by the following results in ubuntu > 10.04lts > > :~$ dovecot -n > # 1.2.9: /etc/dovecot/dovecot.conf > Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission > denied > Fatal: Invalid configuration in /etc/dovecot/dovecot.conf > > ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key > lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> > /etc/ssl/private/ssl-cert-snakeoil.keyYou show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it. For instance, Debian uses the perms for the private dir: drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUvM4j3D1/YhP6VMHAQI+Lwf+Omv0MmhRC1Cu/bddxt1rbubrlWEV1s9u PjqHWj09scGsdZnPASq6ZpTr2LrQXOoGDFrZou3D8vQ1tz3urXBB+jcXJKCJVKQb Ig8bt/IXXDRhMj2PANGkRMGg/y2kD/xnokqUv49ixrLTwoTh4JtE9p4AQY+CDuYD bJJnyuMVHIsTPQ/VupTM7wneGlJ6HoDMF66JtyOeL1Y9X9YObhOvxSOPONfIhkKW bDtYsuFi7nFdNUNObnYUXgxgihwwtzFVP0B/wRfM7j8G6cPNVA3jJ231rh8YfI/v I1qIowj0/IeQPE7h+CuFB4a5+iqL8dT+vaoPxUbKROv44KFsrOlH5g==jr4s -----END PGP SIGNATURE-----
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 6 Feb 2014, Phil wrote: > >> Im new to postfix-dovecot > > and Unix/Linux, too? >Technically yes! Less than 2 years experience running a live server . . .>> and im mystified by the following results >> in ubuntu 10.04lts >> >> :~$ dovecot -n >> # 1.2.9: /etc/dovecot/dovecot.conf >> Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: >> Permission denied >> Fatal: Invalid configuration in /etc/dovecot/dovecot.conf >> >> ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key >> lrwxrwxrwx 1 root root 38 2013-11-27 08:35 >> /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key > > You show us the symbolic link, which has all Unix permissions usually. > The interessting file is the final target, e.g. > /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, > and the permissions of all directories to it. > > For instance, Debian uses the perms for the private dir: > > drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ > > I think it looks the same on your Ubuntu machine. So add > the Dovecot user to group ssl-cert to let it enter the directory > at all. The Snakeoil key is usually group-readable for ssl-cert, too. > So no change of permissions necessary there as well.I did this and my perms look like thus now: total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key and dovecot -n is the same, as i said before its delivering mail ok i would ike to fix this and hopefully understand it a bit better. Thanks.> > - -- Steffen Kaiser > -----BEGIN PGP SIGNATURE-----