Yeah I would imagine it does sometihng like that for that reason indeed. It is probably the reason for the warning, but root should be able to read any file regardless of owner as far as I know. And initially I did make root the owner according to the examples on the opensmtpd website and even set the permissions to 600. Basically I recreated the cert exactly the same way that they did on the website. Only with more bits on the cert (16384)
There is a wheel group that my user is in to be able to do root actions with sudo. But is it a good idea to let other program users be in the same group? Such as smtpd/smtpq? On Tue, Feb 18, 2014 at 1:31 PM, Erik LE VACON <[email protected]> wrote: > Remember any program trying to open a port < 1024 needs to launch for > itself a process using uid 0, then after it calls > setuid/gid(ID_value(usually > 1000)) to lower its privileges. > Don't know how smtpd works internally, but for sure it has to be root > during the socket init. So question is: is it still root while reading > certs and keys, reason for the error you got ? > OpenBSD proposes a *wheel* group for a daemonID to be able to su for such > actions. On arch, i don't know... > > > > Le 18/02/2014 13:10, Isak Andersson a écrit : > > Woops, forgot about the /etc/ssl directory: > > ``` > root@BrutusBjare isak]# ls -l /etc/ | grep ssl > drwxr-xr-x 5 root root 4096 Feb 17 03:19 ssl > ``` > > Cheers! > > > On Tue, Feb 18, 2014 at 1:04 PM, Isak Andersson <[email protected]>wrote: > >> Hi Eriik and Jason! >> >> It sounds very much like it could be an issue with permissions. I have >> been trying to change the permissions around a little bit and making the >> owner the smtpd (which is the user that systemd starts it as) user (there >> is also an smtpq user which I guess does the sendning? q for queue?). I >> still get the same error and an additional warning that the certificate is >> not owned by uid 0. Here is the errors and permissions: >> >> ``` >> [root@BrutusBjare isak]# systemctl restart smtpd >> Job for smtpd.service failed. See 'systemctl status smtpd.service' and >> 'journalctl -xn' for details. >> [root@BrutusBjare isak]# journalctl -xn >> -- Logs begin at Fri 2013-03-29 01:07:20 UTC, end at Tue 2014-02-18 >> 12:03:16 UTC. -- >> Feb 18 12:00:28 BrutusBjare systemd[1]: Unit smtpd.service entered failed >> state. >> Feb 18 12:02:17 BrutusBjare sshd[5738]: pam_unix(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= >> ns215641.ovh.net user=root >> Feb 18 12:02:18 BrutusBjare sshd[5738]: Failed password for root from >> 94.23.247.130 port 44229 ssh2 >> Feb 18 12:02:18 BrutusBjare sshd[5738]: Received disconnect from >> 94.23.247.130: 11: Bye Bye [preauth] >> Feb 18 12:03:16 BrutusBjare systemd[1]: Starting OpenSMTPD... >> -- Subject: Unit smtpd.service has begun with start-up >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit smtpd.service has begun starting up. >> Feb 18 12:03:16 BrutusBjare smtpd[5742]: warn: >> /etc/ssl/certs/puffinmail.crt: not owned by uid 0 >> Feb 18 12:03:16 BrutusBjare smtpd[5742]: fatal: load_ssl_tree: failed to >> load certificate file >> Feb 18 12:03:16 BrutusBjare systemd[1]: smtpd.service: control process >> exited, code=exited status=1 >> Feb 18 12:03:16 BrutusBjare systemd[1]: Failed to start OpenSMTPD. >> -- Subject: Unit smtpd.service has failed >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- Documentation: >> http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d >> -- >> -- Unit smtpd.service has failed. >> -- >> -- The result is failed. >> Feb 18 12:03:16 BrutusBjare systemd[1]: Unit smtpd.service entered failed >> state. >> [root@BrutusBjare isak]# smtpd -n >> warn: /etc/ssl/certs/puffinmail.crt: not owned by uid 0 >> >> fatal: load_ssl_tree: failed to load certificate file >> [root@BrutusBjare isak]# ls -l /etc/ssl/certs/puffinmail.crt >> -rw-r--r-- 1 smtpd root 6335 Feb 18 02:02 /etc/ssl/certs/puffinmail.crt >> [root@BrutusBjare isak]# ls -l /etc/ssl/private/puffinmail.key >> -rw-r--r-- 1 smtpd root 12603 Feb 18 02:00 /etc/ssl/private/puffinmail.key >> [root@BrutusBjare isak]# >> ``` >> >> Thanks! >> >> >> On Tue, Feb 18, 2014 at 12:36 PM, Jason Barbier <[email protected]>wrote: >> >>> On , Isak Andersson wrote: >>> >>>> Hello! >>>> >>>> >>> HEY! >>> >>> *snip* >>> >>> Which is strange because the files are indeed there: >>>> ```````````````````` >>>> BrutusBjare% ls /etc/ssl/certs/puffinmail.crt >>>> /etc/ssl/certs/puffinmail.crt >>>> BrutusBjare% ls /etc/ssl/private >>>> puffinmail.key >>>> `````````````````````` >>>> >>>> *snip* >>> Could you show us the permissions you have the certs set to, and your >>> /etc/ssl directory. there may be a chance that OpenSMTPD can not transverse >>> them or read the cert. >>> >> >> > > -- > Erik LE VACON > 8 Rue de Vaucouleurs > 75011 Paris > Tel: +33951715528 > Fax: +33956715528 > email: [email protected] / [email protected] / [email protected] > >
