Results 1 to 6 of 6

Thread: Unexpected permissions issue with Dovecot

  1. #1

    Default Unexpected permissions issue with Dovecot

    Hello - I am trying to install/configure Dovecot and Postfix on my server running OpenSuSE Leap 42.3 x64 and am running into a perplexing permissions issue that I need help with to resolve.

    Dovecot is configured to use a certificate file as shown here -

    Code:
    bigbang:/etc/dovecot # cat dovecot.conf
    listen = *,[::]
    protocols = imap pop3
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_protocols = !SSLv2 !SSLv3
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    
    ...
    }
    and when I start up the dovecot daemon I am getting the following error message -

    Code:
    "doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf  line 7: ssl_cert: /etc/postfix/smtpd.cert Can not open file: Permission  denied"
    There was nothing unusual done in creating the certificates and no password requirement was set to use it. It was simply generated locally on my server, not supplied from a certificate authority.

    Looking at directory and file permissions does not show anything either -

    Code:
    ls -ald /etc/postfix
    drwxr-xr-x 5 root root 4096 Jun 16 16:19 /etc/postfix
    
     ls -al /etc/postfix/smtpd.cert
    -rw-r--r-- 1 root root 1424 Jun 16 16:04 /etc/postfix/smtpd.cert

    Any ideas on how to debug this and track down what is the real issue? Thanks in advance, Marc...

  2. #2

    Default Re: Unexpected permissions issue with Dovecot

    Ping? Any thoughts anyone?

  3. #3

    Default Re: Unexpected permissions issue with Dovecot

    I will walk you through my steps to try and reproduce your error.

    NOTE: Do not accept this solution as a completely secure working dovecot/postix configuration. It only hopefully gets you past your cert error.

    1. Basic leap 42.3 install with configured network setting
    2. Fully patched
    3. reboot
    4. Install dovecot
    5. systemctl enable dovecot.service
    6. reboot
    7. Checked to insure dovecot and postfix were sane: systemctl status dovecot.service and systemctl status postfix
    8. mkdir /etc/dovecot/private
    9. mkdir /root/certs
    10. cd /root/certs
    11. Performed steps 1 through 7 from the link below. Do not do step 8 or 9.
    https://support.plesk.com/hc/en-us/a...-it-to-Dovecot
    12. Modified /etc/dovecot/conf.d/10-ssl.conf by uncommenting or modifying these lines:
    Code:
    ssl = yes
    
    ssl_cert = </etc/dovecot/private/dovecot.crt
    ssl_key = </etc/dovecot/private/dovecot.key
    13. Modified /etc/postfix/main.cf
    Code:
    smtpd_use_tls = yes
    
    smtpd_tls_cert_file = /etc/dovecot/private/dovecot.crt
    smtpd_tls_key_file = /etc/dovecot/private/dovecot.key
    14. Rebooted
    15. Checked to insure dovecot and postfix were sane: systemctl status dovecot.service and systemctl status postfix

    Hope that helps to get you over the roadblock you hit.
    I don’t have anything to hide, but I don’t have anything I want to show you either.

  4. #4

    Default Re: Unexpected permissions issue with Dovecot

    I don’t have anything to hide, but I don’t have anything I want to show you either.

  5. #5

    Default Re: Unexpected permissions issue with Dovecot

    Thanks d3vnull, I have made some progress on solving this and tracked down the problem to apparmor which is some sort of application based security system. (How I wish Linux followed KISS principals, this appears to be yet another security layer on top of the chmod/chown layer, and not an intuitive/obvious thing either especially since it is not exposed by ls -al.) I claim no expertise about this thing but hacked the following files in /etc/apparmor.d - usr.lib.dovecot.auth, usr.lib.dovecot.config, usr.lib.dovecot.imap and usr.lib.dovecot.pop3 and added the following permission -


    Code:
      /etc/postfix/* r,
    to each of these files. I admit that I am way out of my comfort zone here, having never dealt with apparmor before, so would appreciate a more definitive solution from someone who understands apparmor better than I do.

  6. #6

    Default Re: Unexpected permissions issue with Dovecot

    dovecot can read /etc/ssl through an include statement in it's Apparmor profile:

    #include <abstractions/ssl_keys>

    Store your certificates in /etc/ssl/private and you should not need to modify the dovecot Apparmor profile.

    You can read the original bug report where that is explained to me.

    I have also filed a separate bug report on the README.SUSE instructions being incorrect, but I am not sure you were following it anyway
    I don’t have anything to hide, but I don’t have anything I want to show you either.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •