[Dovecot] dovecot -n FATAL
Phil
phil at philfixit.info
Thu Feb 6 21:05:17 UTC 2014
on 6/02/2014 11:43 PM, Reindl Harald wrote:
> Am 06.02.2014 09:29, schrieb Phil:
>> On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
>>> You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target,
>>> e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories
>>> to it.
>>>
>>> For instance, Debian uses the perms for the private dir:
>>>
>>> drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
>>>
>>> I think it looks the same on your Ubuntu machine. So add
>>> the Dovecot user to group ssl-cert to let it enter the directory
>>> at all. The Snakeoil key is usually group-readable for ssl-cert, too.
>>> So no change of permissions necessary there as well.
>> I did this and my perms look like thus now:
>>
>> total 8
>> -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem
>> -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key
>> lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key
> for the sake of correctness:
>
> * the server process owning config files is generally bad
> * ssl-certs are opened with root permissions at startup
> * that is why chmod 0400 and owner/group root are the recommended perms for certificates
> * the same for Apache httpd and Postfix
> * only Apache Trafficserver opens certs as ats-user (fow now)
>
> the only thing where permissions could be relevant at all in context of
> ssl-certificates is if someone removes the execture permissions from one
> of the parents folders
>
Thanks Reindl,
My setup is very default according to the documantation available
online. I am self taught off the net and sometimes struggle with issues
as there is nobody around to ask, after reading your reply i removed
dovecot from the group ssl-cert, and everything is fine, my mistake was
not passing the dovecot -n command with root priveleges, again i
sincerely apologise for my noobish mistake.
Phil
More information about the dovecot
mailing list