on 6/02/2014 11:43 PM, Reindl Harald wrote:
Am 06.02.2014 09:29, schrieb Phil:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
You show us the symbolic link, which has all Unix permissions usually. The
interessting file is the final target,
e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and
the permissions of all directories
to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add
the Dovecot user to group ssl-cert to let it enter the directory
at all. The Snakeoil key is usually group-readable for ssl-cert, too.
So no change of permissions necessary there as well.
I did this and my perms look like thus now:
total 8
-rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem
-rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key
lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key ->
/etc/ssl/priv ate/ssl-cert-snakeoil.key
for the sake of correctness:
* the server process owning config files is generally bad
* ssl-certs are opened with root permissions at startup
* that is why chmod 0400 and owner/group root are the recommended perms for
certificates
* the same for Apache httpd and Postfix
* only Apache Trafficserver opens certs as ats-user (fow now)
the only thing where permissions could be relevant at all in context of
ssl-certificates is if someone removes the execture permissions from one
of the parents folders
Thanks Reindl,
My setup is very default according to the documantation available
online. I am self taught off the net and sometimes struggle with issues
as there is nobody around to ask, after reading your reply i removed
dovecot from the group ssl-cert, and everything is fine, my mistake was
not passing the dovecot -n command with root priveleges, again i
sincerely apologise for my noobish mistake.
Phil
