Hi
does anyone happen to know the username under which dovecot accesses the certificate and key files when connecting to a mariadb database with ssl? I can't seem to get dovecot to read the files without a "other" readable bit set.
I have dovecot users in mysql with the following connect string in dovecot-sql.conf.ext
connect = host=x.x.x host=y.y.y host=z.z.z dbname=maildb user=mailuser
password=xxxxxx
ssl_ca=/etc/ssl/mysql/ca-cert.pem
ssl_cert=/etc/ssl/mysql/client-cert.pem
ssl_key=/etc/ssl/mysql/client-key.pem
ssl_verify_server_cert=yes
The certificate and key files in /etc/ssl/mysql/ are owned by root with group users:
ls -l /etc/ssl/mysql
total 12 -r--r--r--. 1 root root 2041 Jun 22 15:32 ca-cert.pem -r--r--r--. 1 root users 1907 Jun 22 15:32 client-cert.pem -r--r--r--. 1 root users 3272 Jun 22 15:32 client-key.pem
For my test dovecot, dovenull and vmail are all members of group users:
grep users /etc/group users:x:100:postfix,dovecot,dovenull,vmail
If I remove the "other" readable attribute on the certificate and key files, dovecot complains it can't connect to the db server:
auth: Error: mysql(x.x.x): Connect failed to database (maildb): TLS/SSL error: Permission denied (13) - waiting for 1 seconds before retry
I realize it only adds marginal security to not have these files world readable, but still it is puzzling why dovecot cannot read them in that case. Can anyone see what I am missing?
Thanks
John