dovecot and SSL
Eric Vought, Technical Director
evought at diversityink.com
Thu Feb 10 02:05:34 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|From:
|Hans Müller <ndof at gmx.li>
|Date:
|Wed, 09 Feb 2005 14:36:24 +0100
|Hello, I have a problem with dovecot and SSL
|I have my certificate. But when I start DC, the comes no question for >the
|passphrase for the keyfile. So I get the error in the log file:
|imap-login: Can't load private key file /etc/raddb/certs/server.key
|I will use for my radius and dc the same certificate. What must I do,s
|so the i will be askte for the keypassword??
What it comes down to is that it won't. The certificate must be stored
as plaintext, unencrypted. This is not as much of a security problem as
it might seem if the file permissions (and SELinux policies if you use
the strict mode) will protect non-rrot from reading the file. If someone
can obtain root permissions, they can probably contrive to read the
unencrypted key in memory even if it was encrypted on disk. Also, asking
for the passphrase means that the server cannot start automatically (for
instance, when the system responds to a UPS, shuts itself down, then
comes back up) or be restarted through a management interface (e.g.
webmin's system monitor).
as the previos poster says, you can generate a new key that is
unencrypted. If it is a self-signed key that has not yet been used, that
is fine. If clients have already installed the old key (or it has been
signed by a certificate authority), it is better to unencrypt the old key:
openssl rsa -in encryptedkeyfile.pem -out unencryptedkeyfile.pem
"man rsa" for more info on how this works.
Incidentally, if you do have a CA signed key, you should be aware that
dovecot does not support "chained roots", or keys which are signed by a
CA's subkey rather than the root key itself. If your CA sent you a
"chained root file", often called "chained.pem", add it to the end of
your key file, thusly:
cat chained.pem yourdomaincert.pem >> yourdomaincert-chained.pem
And make sure dovecot is told to use yourdomaincert-chained.pem. This
makes the mail program deal with the verification problem itself and
works with at least some of the mail programs (e.g. Thunderbird, Mac
Mail gives a warning anyway - ***sigh***). It should not hurt radius to
use the chained key (though I have not tried it myself).
[If this is not a CA signed key or they did not say anything about
"chained roots", ignore this last.]
- --
Eric Vought
Technical Director,
Diversity Ink, Morgan Family Enterprises
Web Hosting and Site Design for Small Business and Not-for-Profit
(http://www.diversityink.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCCsFuGqlqMhx2Xb0RAv8PAJwLF2k5uqA9Jeih4/9iJxFeCwtKpQCferpN
NUbFmIuU7XmqeewO3tekPMM=
=VGg6
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evought.vcf
Type: text/x-vcard
Size: 234 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050209/6b4db6b0/attachment-0002.vcf
More information about the users
mailing list