Confusion re doveadm pw and protected private keys
Hello,
It seems from this thread at letsencrypt : https://community.letsencrypt.org/t/changing-permissions-for-pem-files/19656 1 (see especially second post from _az) that doveadm pw now parses all files in the config, even ones not relevant to the pw aspect of the request. If it's not able to access all the files, it terminates prematurely with exit code 89.
The result, at least for anyone using letsencrypt / certbot, is that doveadm pw fatally fails unless run as root, because the config includes the private key, which has permissions 600 root root. This makes the dovecot pw functionality unusable for web apps that want to calculate a password hash using it (e.g. RoundCube's password change feature).
My understanding is that dovecot only really needs the private key for its main functionality, when it's running as root, and that there's no reason doveadm pw, which should (presumably) often be run as a regular user, needs access to it.
Is this the intended behavior, or have I got something wrong?
Thanks for all help,
Paul
On 18/04/2023 02:03 EEST Paul Kroitor <paul@kroitor.ca> wrote:
Hello,
It seems from this thread at letsencrypt : https://community.letsencrypt.org/t/changing-permissions-for-pem-files/19656... (see especially second post from _az) that doveadm pw now parses all files in the config, even ones not relevant to the pw aspect of the request. If it’s not able to access all the files, it terminates prematurely with exit code 89.
The result, at least for anyone using letsencrypt / certbot, is that doveadm pw fatally fails unless run as root, because the config includes the private key, which has permissions 600 root root. This makes the dovecot pw functionality unusable for web apps that want to calculate a password hash using it (e.g. RoundCube’s password change feature).
My understanding is that dovecot only really needs the private key for its main functionality, when it’s running as root, and that there’s no reason doveadm pw, which should (presumably) often be run as a regular user, needs access to it.
Is this the intended behavior, or have I got something wrong?
Thanks for all help, Paul
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi!
This is a bug, but you can workaround it with
ssl=no !include_try ssl.conf
and put in ssl.conf
ssl=yes ssl_cert=</path ssl_key=</peth
or try with 2.3.20.
Aki
participants (2)
-
Aki Tuomi
-
Paul Kroitor