Hi
does anyone happen to know the username under which dovecot accesses the
certificate and key files when connecting to a mariadb database with
ssl? I can't seem to get dovecot to read the files without a "other"
readable bit set.
I have dovecot users in mysql with the following connect string in
dovecot-sql.conf.ext
connect = host=x.x.x host=y.y.y host=z.z.z dbname=maildb user=mailuser
password=xxxxxx \
ssl_ca=/etc/ssl/mysql/ca-cert.pem \
ssl_cert=/etc/ssl/mysql/client-cert.pem \
ssl_key=/etc/ssl/mysql/client-key.pem \
ssl_verify_server_cert=yes
The certificate and key files in /etc/ssl/mysql/ are owned by root with
group users:
ls -l /etc/ssl/mysql
total 12
-r--r--r--. 1 root root 2041 Jun 22 15:32 ca-cert.pem
-r--r--r--. 1 root users 1907 Jun 22 15:32 client-cert.pem
-r--r--r--. 1 root users 3272 Jun 22 15:32 client-key.pem
For my test dovecot, dovenull and vmail are all members of group users:
grep users /etc/group
users:x:100:postfix,dovecot,dovenull,vmail
If I remove the "other" readable attribute on the certificate and key
files, dovecot complains it can't connect to the db server:
auth: Error: mysql(x.x.x): Connect failed to database (maildb): TLS/SSL
error: Permission denied (13) - waiting for 1 seconds before retry
I realize it only adds marginal security to not have these files world
readable, but still it is puzzling why dovecot cannot read them in that
case. Can anyone see what I am missing?
Thanks
John
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
