[Dovecot] dovecot -n FATAL

Reindl Harald h.reindl at thelounge.net
Thu Feb 6 12:43:46 UTC 2014


Am 06.02.2014 09:29, schrieb Phil:
> On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
>> You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target,
>> e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories
>> to it.
>>
>> For instance, Debian uses the perms for the private dir:
>>
>> drwx--x--- 2 root ssl-cert 4096 Jul  4  2012 /etc/ssl/private/
>>
>> I think it looks the same on your Ubuntu machine. So add
>> the Dovecot user to group ssl-cert to let it enter the directory
>> at all. The Snakeoil key is usually group-readable for ssl-cert, too.
>> So no change of permissions necessary there as well.
> 
> I did this and my perms look like thus now:
> 
> total 8
> -rw------- 1 root    dovecot  887 2013-11-25 11:33 dovecot.pem
> -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key
> lrwxrwxrwx 1 root    root      38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key

for the sake of correctness:

* the server process owning config files is generally bad
* ssl-certs are opened with root permissions at startup
* that is why chmod 0400 and owner/group root are the recommended perms for certificates
* the same for Apache httpd and Postfix
* only Apache Trafficserver opens certs as ats-user (fow now)

the only thing where permissions could be relevant at all in context of
ssl-certificates is if someone removes the execture permissions from one
of the parents folders


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140206/d767359e/attachment.bin>


More information about the dovecot mailing list