[Dovecot] Rootless installation gets ssl-parameters.dat errors
In the logfile, i see this:
dovecot: Mar 18 16:24:30 Error: ssl-build-param: Can't create
temporary SSL parameters file /var/lib/dovecot/ssl-parameters.dat.tmp:
Permission denied
dovecot: Mar 18 16:24:30 Error: child 21836 (ssl-build-param) returned
error 89
dovecot: Mar 18 16:24:30 Error: link(/var/lib/dovecot/ssl-
parameters.dat, /usr/local/sb/daniel/rm/trunk/var/run/dovecot/login/
ssl-parameters.dat.tmp) failed: Permission denied
dovecot: Mar 18 16:24:30 Error: file_copy(/var/lib/dovecot/ssl-
parameters.dat, /usr/local/sb/daniel/rm/trunk/var/run/dovecot/login/
ssl-parameters.dat) failed: No such file or directory
It is true that I as a user do not have permissions to read this
file, however, I followed all the instructions to run as a rootless
user. I don't seem to be able to specify anywhere where this ssl-
parameters file should be copied from.
Please note, I'm running this as user daniel (not root).
Btw, there seems to have been a ssl_parameters_file keyword in the
past, but it doesn't work with my version (nor with the latest 1.0.13).
non-SSL IMAP works fine, but obviously SSL has issues.
Thank you in advance for any help,
Daniel
#### SYSTEM INFO #####################################
$ dovecot --version 1.0.rc15
$ uname -a
Linux myhost.com 2.6.22.18-vs2.3.0.32.1 #1 SMP Mon Feb 11 07:07:23 EST
2008 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/redhat-release CentOS release 5 (Final)
#### CONFIG FILE ####################################
$ perl -e 'for (<>){ next if /^\s*(#|$)/; print $_; }' dovecot.conf
base_dir = /usr/local/sb/daniel/rm/trunk/var/run/dovecot protocols = imap imaps protocol imap { listen = *:8300 ssl_listen = *:8301 } log_path = /usr/local/sb/daniel/rm/trunk/var/logs/dovecot.log info_log_path = /usr/local/sb/daniel/rm/trunk/var/logs/dovecot.info.log ssl_cert_file = /usr/local/sb/daniel/rm/trunk/etc/dovecot.cert.pem ssl_key_file =/usr/local/sb/daniel/rm/trunk/etc/dovecot.private.pem login_chroot = no login_user = daniel login_process_size = 64 login_greeting = daniel's Dovecot ready. mail_location = mbox:/usr/local/sb/daniel/rm/trunk/var/mail:INBOX=/usr/ local/sb/daniel/rm/trunk/var/mail/INBOX mail_debug = yes protocol imap { } protocol pop3 { } protocol lda { postmaster_address = postmaster@example.com } auth default { mechanisms = plain passdb passwd-file { args = /usr/local/sb/daniel/rm/trunk/var/dovecot.passwd } userdb passwd { } userdb passwd-file { args = /usr/local/sb/daniel/rm/trunk/var/dovecot.passwd } user = daniel } dict { } plugin { }
On Tue, 2008-03-18 at 17:55 -0700, Daniel Bretoi wrote:
In the logfile, i see this:
dovecot: Mar 18 16:24:30 Error: ssl-build-param: Can't create
temporary SSL parameters file /var/lib/dovecot/ssl-parameters.dat.tmp:
Permission denied
This path isn't configurable after installation. If you want to change it, use configure --localstatedir parameter.
It is true that I as a user do not have permissions to read this
file, however, I followed all the instructions to run as a rootless
user. I don't seem to be able to specify anywhere where this ssl- parameters file should be copied from.
Did you also give configure --prefix=$HOME? It should have put localstatedir under home directory.
base_dir = /usr/local/sb/daniel/rm/trunk/var/run/dovecot
I guess not, because you wouldn't need this either when prefix was set correctly.
1.0.rc15
Also since you're already compiling Dovecot yourself, would be a good idea to use a newer version than rc15.
On Mar 18, 2008, at 10:15 PM, Timo Sirainen wrote:
On Tue, 2008-03-18 at 17:55 -0700, Daniel Bretoi wrote:
In the logfile, i see this:
dovecot: Mar 18 16:24:30 Error: ssl-build-param: Can't create temporary SSL parameters file /var/lib/dovecot/ssl- parameters.dat.tmp: Permission denied
This path isn't configurable after installation. If you want to change it, use configure --localstatedir parameter.
I think this is the only thing between me and doing a rootless run
without having to install it myself. Is there any reason why you took
the ssl_parameters_file out?
Dovecot needs to be accessible by other users as this is a sandbox
environment to test an IMAP client we are developing. I don't like to
make installs that are independent of the systems package-management
system.
It would be useful to be able to run Dovecot rootless without having
to make your own build. Also, the location of the ssl-parameters.dat
would change per user since it's in a sandbox environment for us.
It is true that I as a user do not have permissions to read this file, however, I followed all the instructions to run as a rootless user. I don't seem to be able to specify anywhere where this ssl- parameters file should be copied from.
Did you also give configure --prefix=$HOME? It should have put localstatedir under home directory.
base_dir = /usr/local/sb/daniel/rm/trunk/var/run/dovecot
I guess not, because you wouldn't need this either when prefix was set correctly.
1.0.rc15
Also since you're already compiling Dovecot yourself, would be a good idea to use a newer version than rc15.
I only compiled the latest version to see if the ssl_parameters_file
was present in new builds so I didn't waste your time with something
that has been solved already, but for reasons stated above, it's not
practical for me to do compiles and I prefer to use the system package.
Thanks for your quick response, and an excellent IMAP client.
Daniel
I think this is the only thing between me and doing a rootless run without having to install it myself. Is there any reason why you took the ssl_parameters_file out? Dovecot needs to be accessible by other users as this is a sandbox environment to test an IMAP client we are developing. I don't like to make installs that are independent of the systems package-management system.
It would be useful to be able to run Dovecot rootless without having to make your own build. Also, the location of the ssl-parameters.dat would change per user since it's in a sandbox environment for us.
Could you use a symlink as a workaround?
Ed
What I did was just to chmod the appropriate directories and files so
all users could read them. I don't know if it will work properly but
it'll be tested soon enough.
I still find it very strange that that's something that's configured
at compile-time as opposed to run-time.
-d
On Mar 19, 2008, at 11:01 AM, Ed W wrote:
I think this is the only thing between me and doing a rootless run
without having to install it myself. Is there any reason why you
took the ssl_parameters_file out? Dovecot needs to be accessible by other users as this is a sandbox
environment to test an IMAP client we are developing. I don't like
to make installs that are independent of the systems package- management system.It would be useful to be able to run Dovecot rootless without
having to make your own build. Also, the location of the ssl- parameters.dat would change per user since it's in a sandbox
environment for us.Could you use a symlink as a workaround?
Ed
On Wed, 2008-03-19 at 09:12 -0700, Daniel Bretoi wrote:
It would be useful to be able to run Dovecot rootless without having
to make your own build. Also, the location of the ssl-parameters.dat
would change per user since it's in a sandbox environment for us.
I think one of the reasons I didn't bother to make it configurable was because there's really no need to create more than one ssl-parameters.dat file. In fact many servers create none, they just use the the SSL library's default built-in one.
On Mar 20, 2008, at 5:53 AM, Timo Sirainen wrote:
On Wed, 2008-03-19 at 09:12 -0700, Daniel Bretoi wrote:
It would be useful to be able to run Dovecot rootless without having to make your own build. Also, the location of the ssl-parameters.dat would change per user since it's in a sandbox environment for us.
I think one of the reasons I didn't bother to make it configurable was because there's really no need to create more than one ssl-parameters.dat file. In fact many servers create none, they just
use the the SSL library's default built-in one.
That's all well and good if you have root access to modify the
permissions on that file which, with a rootless install, the
possibility is very likely to exist that you don't.
Anyway, I can only suggest it be done. :)
Thanks!
-d
participants (3)
-
Daniel Bretoi
-
Ed W
-
Timo Sirainen