[Dovecot] dovecot -n FATAL
Hi List,
Im new to postfix-dovecot and im mystified by the following results in ubuntu 10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key
Why is dovecot happily delivering mail to local accounts ( thats all i use atm) without being able to access the ssl key, and how can i fix this problem so i can run dovecot -n successfully. i have tried 'chown dovecot' etc but there was no change in dovecot -n output. Any and all help is appreciated.
Phil
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
Im new to postfix-dovecot
and Unix/Linux, too?
and im mystified by the following results in ubuntu10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvM4j3D1/YhP6VMHAQI+Lwf+Omv0MmhRC1Cu/bddxt1rbubrlWEV1s9u PjqHWj09scGsdZnPASq6ZpTr2LrQXOoGDFrZou3D8vQ1tz3urXBB+jcXJKCJVKQb Ig8bt/IXXDRhMj2PANGkRMGg/y2kD/xnokqUv49ixrLTwoTh4JtE9p4AQY+CDuYD bJJnyuMVHIsTPQ/VupTM7wneGlJ6HoDMF66JtyOeL1Y9X9YObhOvxSOPONfIhkKW bDtYsuFi7nFdNUNObnYUXgxgihwwtzFVP0B/wRfM7j8G6cPNVA3jJ231rh8YfI/v I1qIowj0/IeQPE7h+CuFB4a5+iqL8dT+vaoPxUbKROv44KFsrOlH5g== =jr4s -----END PGP SIGNATURE-----
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
Im new to postfix-dovecot
and Unix/Linux, too?
Technically yes! Less than 2 years experience running a live server . . .
and im mystified by the following resultsin ubuntu 10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well.
I did this and my perms look like thus now:
total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key
and dovecot -n is the same, as i said before its delivering mail ok i would ike to fix this and hopefully understand it a bit better. Thanks.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE-----
On 02/06/2014 09:29 AM, Phil wrote:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
Im new to postfix-dovecot
and Unix/Linux, too?
Technically yes! Less than 2 years experience running a live server . . .
and im mystified by the following resultsin ubuntu 10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
looks like a non-root prompt ...
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key
using sudo here, so yes...
Since doveconf reads the ssl cert, the user that runs doveconf needs access to the file too. Try again as root (or using sudo)...
Regards, Tom
On 6/02/2014 7:33 PM, Tom Hendrikx wrote:
On 02/06/2014 09:29 AM, Phil wrote:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
Im new to postfix-dovecot and Unix/Linux, too?
Technically yes! Less than 2 years experience running a live server . . .
and im mystified by the following resultsin ubuntu 10.04lts
:~$ dovecot -n
1.2.9: /etc/dovecot/dovecot.conf
Error: ssl_key_file: Can't use /etc/ssl/private/ssl-mail.key: Permission denied Fatal: Invalid configuration in /etc/dovecot/dovecot.conf
looks like a non-root prompt ...
Well spotted Tom and many thanks i can pass the command successfully. And apologies for the noob error . . .
~$ sudo ls -dl /etc/ssl/private/ssl-mail.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 /etc/ssl/private/ssl-mail.key -> /etc/ssl/private/ssl-cert-snakeoil.key using sudo here, so yes...
Since doveconf reads the ssl cert, the user that runs doveconf needs access to the file too. Try again as root (or using sudo)...
Regards, Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
:~$ dovecot -n
which user do you use to invoke doveconf?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvNJqHD1/YhP6VMHAQJ3Lgf+Ps600Auk/E1MTAoZGSVv/npV90Z66g4J 6tGlZ2Afa8KuxAANNrE/jqdKX+7y0iJnpzbhURnM28e6/aqeao5CA76EqBmvg+Mx fiMmYewA2l6lPqArRU4iFDs16H9wK4ZQNEuBgQUOentOS7O6FSlWfxrdpYGn0lQk 3nmBhjUOZobJhrs6NB8vxtBc1e+t2bxJdMlvzCQV39IUsplQ89EPf9j7VthLVsVy SXAIimJJ/AsaAG6m0Qvbm5FTnPrlAWlpwsy8AyyfAjmpZxOleprNdTV1iEjQsRL5 ismx4mEluOo4BuMSlHavoSMo1ngGlWRGMHqsjkR05JHDOAQACzWuvg== =I/Cq -----END PGP SIGNATURE-----
On 6/02/2014 7:36 PM, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Phil wrote:
:~$ dovecot -n
which user do you use to invoke doveconf?
From now on root :-) Thanks for your help Steffen.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvNJqHD1/YhP6VMHAQJ3Lgf+Ps600Auk/E1MTAoZGSVv/npV90Z66g4J 6tGlZ2Afa8KuxAANNrE/jqdKX+7y0iJnpzbhURnM28e6/aqeao5CA76EqBmvg+Mx fiMmYewA2l6lPqArRU4iFDs16H9wK4ZQNEuBgQUOentOS7O6FSlWfxrdpYGn0lQk 3nmBhjUOZobJhrs6NB8vxtBc1e+t2bxJdMlvzCQV39IUsplQ89EPf9j7VthLVsVy SXAIimJJ/AsaAG6m0Qvbm5FTnPrlAWlpwsy8AyyfAjmpZxOleprNdTV1iEjQsRL5 ismx4mEluOo4BuMSlHavoSMo1ngGlWRGMHqsjkR05JHDOAQACzWuvg== =I/Cq -----END PGP SIGNATURE-----
Am 06.02.2014 09:29, schrieb Phil:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well.
I did this and my perms look like thus now:
total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key
for the sake of correctness:
- the server process owning config files is generally bad
- ssl-certs are opened with root permissions at startup
- that is why chmod 0400 and owner/group root are the recommended perms for certificates
- the same for Apache httpd and Postfix
- only Apache Trafficserver opens certs as ats-user (fow now)
the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders
on 6/02/2014 11:43 PM, Reindl Harald wrote:
Am 06.02.2014 09:29, schrieb Phil:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well. I did this and my perms look like thus now:
total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key for the sake of correctness:
- the server process owning config files is generally bad
- ssl-certs are opened with root permissions at startup
- that is why chmod 0400 and owner/group root are the recommended perms for certificates
- the same for Apache httpd and Postfix
- only Apache Trafficserver opens certs as ats-user (fow now)
the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders
Thanks Reindl, My setup is very default according to the documantation available online. I am self taught off the net and sometimes struggle with issues as there is nobody around to ask, after reading your reply i removed dovecot from the group ssl-cert, and everything is fine, my mistake was not passing the dovecot -n command with root priveleges, again i sincerely apologise for my noobish mistake. Phil
participants (4)
-
Phil
-
Reindl Harald
-
Steffen Kaiser
-
Tom Hendrikx