Re: dovecot and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|From:
|Hans Müller <ndof@xxxxxx>
|Date:
|Wed, 09 Feb 2005 14:36:24 +0100

|Hello, I have a problem with dovecot and SSL
|I have my certificate. But when I start DC, the comes no question for >the
|passphrase for the keyfile. So I get the error in the log file:
|imap-login: Can't load private key file /etc/raddb/certs/server.key
|I will use for my radius and dc the same certificate. What must I do,s
|so the i will be askte for the keypassword??

What it comes down to is that it won't. The certificate must be stored
as plaintext, unencrypted. This is not as much of a security problem as
it might seem if the file permissions (and SELinux policies if you use
the strict mode) will protect non-rrot from reading the file. If someone
can obtain root permissions, they can probably contrive to read the
unencrypted key in memory even if it was encrypted on disk. Also, asking
for the passphrase means that the server cannot start automatically (for
instance, when the system responds to a UPS, shuts itself down, then
comes back up) or be restarted through a management interface (e.g.
webmin's system monitor).

as the previos poster says, you can generate a new key that is
unencrypted. If it is a self-signed key that has not yet been used, that
is fine. If clients have already installed the old key (or it has been
signed by a certificate authority), it is better to unencrypt the old key:

openssl rsa -in encryptedkeyfile.pem -out unencryptedkeyfile.pem

"man rsa" for more info on how this works.

Incidentally, if you do have a CA signed key, you should be aware that
dovecot does not support "chained roots", or keys which are signed by a
CA's subkey rather than the root key itself. If your CA sent you a
"chained root file", often called "chained.pem", add it to the end of
your key file, thusly:

cat chained.pem yourdomaincert.pem >> yourdomaincert-chained.pem

And make sure dovecot is told to use yourdomaincert-chained.pem. This
makes the mail program deal with the verification problem itself and
works with at least some of the mail programs (e.g. Thunderbird, Mac
Mail gives a warning anyway - ***sigh***). It should not hurt radius to
use the chained key (though I have not tried it myself).

[If this is not a CA signed key or they did not say anything about
"chained roots", ignore this last.]
- --
Eric Vought

Technical Director,
Diversity Ink, Morgan Family Enterprises
Web Hosting and Site Design for Small Business and Not-for-Profit
(http://www.diversityink.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCCsFuGqlqMhx2Xb0RAv8PAJwLF2k5uqA9Jeih4/9iJxFeCwtKpQCferpN
NUbFmIuU7XmqeewO3tekPMM=
=VGg6
-----END PGP SIGNATURE-----
begin:vcard
fn:Eric Vought
n:Vought;Eric
org:Diversity Ink
adr;dom:;;;Republic;MO
email;internet:evought@xxxxxxxxxxxxxxxx
title:Technical Director
x-mozilla-html:FALSE
url:http://www.diversityink.com
version:2.1
end:vcard


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux