Securing imap with Letsencrypt
benjamin.boudoir at free.fr
benjamin.boudoir at free.fr
Wed Aug 1 11:05:08 CEST 2018
Hi,
Le 01/08/2018 09:18, Milan Petrovic a écrit :
> Hi all,
>
> I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
> I'm trying to make cyrus-imap to use the Letsencrypt certificates
> without any success (the certs are working fine on the Nginx part,
> also working fine for Active-sync connections).
> The certificates are stored in /etc/letsencrypt/archive/my_domain/,
> chmoded to 640, owned by root (I have tried to have them owned by a
> group 'mail' or 'ssl-cert', nothing happens).
> Whenever I point the "tls_client_ca_file", "tls_server_cert" and
> "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
> the following:
> Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
> '/etc/letsencrypt/archive/my_domain/cert6.pem'
> Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
> server cert/key data.
> Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
> Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.
You used to have the following users in your group :
- cyrus
- postfix
And have group rights at least to "read" (+r) on your certificates.
Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.
You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
> At some point in the past I see I have commented out the ldap
> configuration from the imapd.conf, not sure when and why (both the
> base ldap configuration and the addition at the end for the
> multidomain setup), but uncommenting it makes the login within
> roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
> Please help.
>
> Thanks, Milan
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
More information about the users
mailing list