On 6/02/2014 6:23 PM, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 6 Feb 2014, Phil wrote: > >> Im new to postfix-dovecot > > and Unix/Linux, too? >Technically yes! Less than 2 years experience running a live server . . .>> and im mystified by the following results >> in ubuntu 10.04lts >> >> :~$ dovecot -n >> # 1.2.9: /etc/dovecot/dovecot.conf >> Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: >> Permission denied >> Fatal: Invalid configuration in /etc/dovecot/dovecot.conf >> >> ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key >> lrwxrwxrwx 1 root root 38 2013-11-27 08:35 >> /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key > > You show us the symbolic link, which has all Unix permissions usually. > The interessting file is the final target, e.g. > /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, > and the permissions of all directories to it. > > For instance, Debian uses the perms for the private dir: > > drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ > > I think it looks the same on your Ubuntu machine. So add > the Dovecot user to group ssl-cert to let it enter the directory > at all. The Snakeoil key is usually group-readable for ssl-cert, too. > So no change of permissions necessary there as well.I did this and my perms look like thus now: total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key and dovecot -n is the same, as i said before its delivering mail ok i would ike to fix this and hopefully understand it a bit better. Thanks.> > - -- Steffen Kaiser > -----BEGIN PGP SIGNATURE-----
On 02/06/2014 09:29 AM, Phil wrote:> On 6/02/2014 6:23 PM, Steffen Kaiser wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Thu, 6 Feb 2014, Phil wrote: >> >>> Im new to postfix-dovecot >> >> and Unix/Linux, too? >> > Technically yes! Less than 2 years experience running a live server . . . > >>> and im mystified by the following results >>> in ubuntu 10.04lts >>> >>> :~$ dovecot -n >>> # 1.2.9: /etc/dovecot/dovecot.conf >>> Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: >>> Permission denied >>> Fatal: Invalid configuration in /etc/dovecot/dovecot.conflooks like a non-root prompt ...>>> >>> ~$ sudo ls -dl /etc/ssl/private/ssl-mail.key >>> lrwxrwxrwx 1 root root 38 2013-11-27 08:35 >>> /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.keyusing sudo here, so yes... Since doveconf reads the ssl cert, the user that runs doveconf needs access to the file too. Try again as root (or using sudo)... Regards, Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20140206/67388ab4/attachment.bin>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Feb 2014, Phil wrote:>>> :~$ dovecot -nwhich user do you use to invoke doveconf? - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUvNJqHD1/YhP6VMHAQJ3Lgf+Ps600Auk/E1MTAoZGSVv/npV90Z66g4J 6tGlZ2Afa8KuxAANNrE/jqdKX+7y0iJnpzbhURnM28e6/aqeao5CA76EqBmvg+Mx fiMmYewA2l6lPqArRU4iFDs16H9wK4ZQNEuBgQUOentOS7O6FSlWfxrdpYGn0lQk 3nmBhjUOZobJhrs6NB8vxtBc1e+t2bxJdMlvzCQV39IUsplQ89EPf9j7VthLVsVy SXAIimJJ/AsaAG6m0Qvbm5FTnPrlAWlpwsy8AyyfAjmpZxOleprNdTV1iEjQsRL5 ismx4mEluOo4BuMSlHavoSMo1ngGlWRGMHqsjkR05JHDOAQACzWuvg==I/Cq -----END PGP SIGNATURE-----
Am 06.02.2014 09:29, schrieb Phil:> On 6/02/2014 6:23 PM, Steffen Kaiser wrote: >> You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, >> e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories >> to it. >> >> For instance, Debian uses the perms for the private dir: >> >> drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ >> >> I think it looks the same on your Ubuntu machine. So add >> the Dovecot user to group ssl-cert to let it enter the directory >> at all. The Snakeoil key is usually group-readable for ssl-cert, too. >> So no change of permissions necessary there as well. > > I did this and my perms look like thus now: > > total 8 > -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem > -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key > lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.keyfor the sake of correctness: * the server process owning config files is generally bad * ssl-certs are opened with root permissions at startup * that is why chmod 0400 and owner/group root are the recommended perms for certificates * the same for Apache httpd and Postfix * only Apache Trafficserver opens certs as ats-user (fow now) the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20140206/d767359e/attachment.bin>