Sync via ssh fails when ssl is active
I have computers at two different locations and one computer running dovecot at each place. I sync my emails between these two servers using ssh and I haven't had any problems with this lately until I upgraded dovecot recently.
I now get the following error at location "alfa" when trying to sync with dovecot at location "delta"
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
Jan 20 16:13:09 dsync-local(johan@oxyl.net)<FWBVNQN86WH52iQA1AGq6A>: Error: read(vmail@192.168.119.12) failed: EOF (version not received)
Jan 20 16:13:09 dsync-local(johan@oxyl.net)<FWBVNQN86WH52iQA1AGq6A>: Error: Remote command returned error 89: ssh -q -p 22 -o StrictHostKeyChecking=no -i /datastorage/epost/vmail/.ssh/id_ecdsa -lvmail 192.168.119.12 doveadm dsync-server -ujohan@oxyl.net
Trying to sync from "delta" i get the same error but the domain is changed in the error-message to 'alfa.oxyl.net'
I can read mail at both locations using STARTTLS. There is no error in dovecot.log when I restart the service. If I disable ssl and comment out ssl_cert/ssl_key in 10-ssl.conf I have no trouble performing sync between servers.
If I run the ssh-command in the error-message as user vmail I get the same ssl-error as above.
Any ideas how to solve this?
/Johan Pålsson
Hello
Am 20.01.22 um 16:32 schrieb Johan:
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
Check permission on /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem
Kind regards, Christian Mack
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416
I have set privileges to 755 for letsencrypt/live and letsencrypt/archive and sync now seems to function properly.
BUT, I shouldn't have to change privileges as it's a serious SECURITY issue. My *private* keys becomes visible to any user in the system. Dovecot obviously can access the cert when it comes to imap/ssl, then why does sync between dovecot servers require extended privileges to the same certs the server is already using?
/Johan Pålsson
Den 2022-01-25 kl. 14:35, skrev Christian Mack:
Hello
Am 20.01.22 um 16:32 schrieb Johan:
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
Check permission on /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem
Kind regards, Christian Mack
On 25/01/2022 15:35 Christian Mack christian.mack@uni-konstanz.de wrote:
Hello
Am 20.01.22 um 16:32 schrieb Johan:
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
Check permission on /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem
Kind regards, Christian Mack
This is probably because of a known issue...
You need to configure
ssl=no !try_include ssl.conf
and put in ssl.conf ssl=yes ssl_cert=
then change permissions on ssl.conf to 0600 root:root
Aki
I realize I forgot some information...
Im running Debian 11 on both servers and dovecot is installed using debian-packages, version 2.3.13 (89f716dc2)
/Johan Pålsson
Den 2022-01-20 kl. 16:32, skrev Johan:
I have computers at two different locations and one computer running dovecot at each place. I sync my emails between these two servers using ssh and I haven't had any problems with this lately until I upgraded dovecot recently.
I now get the following error at location "alfa" when trying to sync with dovecot at location "delta"
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
Jan 20 16:13:09 dsync-local(johan@oxyl.net)<FWBVNQN86WH52iQA1AGq6A>: Error: read(vmail@192.168.119.12) failed: EOF (version not received)
Jan 20 16:13:09 dsync-local(johan@oxyl.net)<FWBVNQN86WH52iQA1AGq6A>: Error: Remote command returned error 89: ssh -q -p 22 -o StrictHostKeyChecking=no -i /datastorage/epost/vmail/.ssh/id_ecdsa -lvmail 192.168.119.12 doveadm dsync-server -ujohan@oxyl.net
Trying to sync from "delta" i get the same error but the domain is changed in the error-message to 'alfa.oxyl.net'
I can read mail at both locations using STARTTLS. There is no error in dovecot.log when I restart the service. If I disable ssl and comment out ssl_cert/ssl_key in 10-ssl.conf I have no trouble performing sync between servers.
If I run the ssh-command in the error-message as user vmail I get the same ssl-error as above.
Any ideas how to solve this?
/Johan Pålsson
On 2022-01-20, Johan johan@oxyl.net wrote:
I have computers at two different locations and one computer running dovecot at each place. I sync my emails between these two servers using ssh and I haven't had any problems with this lately until I upgraded dovecot recently.
I now get the following error at location "alfa" when trying to sync with dovecot at location "delta"
Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied
This is a problem that was introduced in 2.3.11 and fixed in 2.3.17.
Updating would be better, but as a workaround you can move the ssl_key line to a separate config file, make it only readable by root, and use e.g.
!include_try /etc/dovecot/ssl-keys.conf
to pull it in.
Den 2022-01-27 kl. 10:24, skrev Stuart Henderson:
This is a problem that was introduced in 2.3.11 and fixed in 2.3.17.
Updating would be better, but as a workaround you can move the ssl_key line to a separate config file, make it only readable by root, and use e.g.
!include_try /etc/dovecot/ssl-keys.conf
to pull it in.
Ok, Thank you for explaining. Good to know I'm not misunderstanding everything.
I choose to switch to dovecot's repository and update. And restore security for certs :)
/Johan Pålsson
participants (4)
-
Aki Tuomi
-
Christian Mack
-
Johan
-
Stuart Henderson