[Dovecot] dovecot -n FATAL
Hi List,
Im new to postfix-dovecot and im mystified by the following results in ubuntu 10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key
Why is dovecot happily delivering mail to local accounts ( thats all i use atm) without being able to access the ssl key, and how can i fix this problem so i can run dovecot -n successfully. i have tried 'chown dovecot' etc but there was no change in dovecot -n output. Any and all help is appreciated.
Phil
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
Im new to postfix-dovecot
and Unix/Linux, too?
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvM4j3D1/YhP6VMHAQI+Lwf+Omv0MmhRC1Cu/bddxt1rbubrlWEV1s9u PjqHWj09scGsdZnPASq6ZpTr2LrQXOoGDFrZou3D8vQ1tz3urXBB+jcXJKCJVKQb Ig8bt/IXXDRhMj2PANGkRMGg/y2kD/xnokqUv49ixrLTwoTh4JtE9p4AQY+CDuYD bJJnyuMVHIsTPQ/VupTM7wneGlJ6HoDMF66JtyOeL1Y9X9YObhOvxSOPONfIhkKW bDtYsuFi7nFdNUNObnYUXgxgihwwtzFVP0B/wRfM7j8G6cPNVA3jJ231rh8YfI/v I1qIowj0/IeQPE7h+CuFB4a5+iqL8dT+vaoPxUbKROv44KFsrOlH5g== =jr4s -----END PGP SIGNATURE-----
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
Technically yes! Less than 2 years experience running a live server . . .
I did this and my perms look like thus now:
total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key
and dovecot -n is the same, as i said before its delivering mail ok i would ike to fix this and hopefully understand it a bit better. Thanks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
:~$ dovecot -n
which user do you use to invoke doveconf?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvNJqHD1/YhP6VMHAQJ3Lgf+Ps600Auk/E1MTAoZGSVv/npV90Z66g4J 6tGlZ2Afa8KuxAANNrE/jqdKX+7y0iJnpzbhURnM28e6/aqeao5CA76EqBmvg+Mx fiMmYewA2l6lPqArRU4iFDs16H9wK4ZQNEuBgQUOentOS7O6FSlWfxrdpYGn0lQk 3nmBhjUOZobJhrs6NB8vxtBc1e+t2bxJdMlvzCQV39IUsplQ89EPf9j7VthLVsVy SXAIimJJ/AsaAG6m0Qvbm5FTnPrlAWlpwsy8AyyfAjmpZxOleprNdTV1iEjQsRL5 ismx4mEluOo4BuMSlHavoSMo1ngGlWRGMHqsjkR05JHDOAQACzWuvg== =I/Cq -----END PGP SIGNATURE-----
Am 06.02.2014 09:29, schrieb Phil:
for the sake of correctness:
- the server process owning config files is generally bad
- ssl-certs are opened with root permissions at startup
- that is why chmod 0400 and owner/group root are the recommended perms for certificates
- the same for Apache httpd and Postfix
- only Apache Trafficserver opens certs as ats-user (fow now)
the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders
on 6/02/2014 11:43 PM, Reindl Harald wrote:
Thanks Reindl, My setup is very default according to the documantation available online. I am self taught off the net and sometimes struggle with issues as there is nobody around to ask, after reading your reply i removed dovecot from the group ssl-cert, and everything is fine, my mistake was not passing the dovecot -n command with root priveleges, again i sincerely apologise for my noobish mistake. Phil
participants (4)
-
Phil
-
Reindl Harald
-
Steffen Kaiser
-
Tom Hendrikx