Dovecot 2.3.17 ssl regression

[VladiBG]

After upgrading Dovecot from 2.3.15 to 2.3.17 the dovecot process no longer have access to the /usr/local/etc/letsencrypt/live which is default owned by root:wheel with 700.

doveadm: v2.3.11 regression: Commands failed if ssl_cert or
ssl_key files weren't readable by the user running doveadm, even
though doveadm didn't actually use these settings

Oct 31 01:22:35 ****** postfix/pipe[1839]: 7B3A7273A7: to=<test@*******>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 25: ssl_ca: Can't open file /usr/local/etc/letsencrypt/live/******/chain.pem: Permission denied )

As temporary workaround you can set permission of the directory "live" and "archive" to 755 which will expose the privkey.pem. or skip version 2.3.17

root@***:/usr/local/etc/letsencrypt # ls -l
total 28
drwx------  6 root  wheel   512 Aug 12  2018 accounts
drwx------  3 root  wheel   512 Feb  2  2018 archive
drwxr-xr-x  2 root  wheel  1024 Oct 17 04:32 csr
drwx------  2 root  wheel  1024 Oct 17 04:32 keys
drwx------  3 root  wheel   512 Feb  2  2018 live
drwxr-xr-x  2 root  wheel   512 Oct 17 04:32 renewal
drwxr-xr-x  5 root  wheel   512 Feb  2  2018 renewal-hooks
root@***:/usr/local/etc/letsencrypt # chmod 755 live
root@***:/usr/local/etc/letsencrypt # chmod 755 archive/
root@***:/usr/local/etc/letsencrypt # ls -l
total 28
drwx------  6 root  wheel   512 Aug 12  2018 accounts
drwxr-xr-x  3 root  wheel   512 Feb  2  2018 archive
drwxr-xr-x  2 root  wheel  1024 Oct 17 04:32 csr
drwx------  2 root  wheel  1024 Oct 17 04:32 keys
drwxr-xr-x  3 root  wheel   512 Feb  2  2018 live
drwxr-xr-x  2 root  wheel   512 Oct 17 04:32 renewal
drwxr-xr-x  5 root  wheel   512 Feb  2  2018 renewal-hooks

Edit:
Better approach will be to change the "wheel" group to "mail" and give access only to the user root:mail with 750 and add the dovecot to that group.

 

[SirDice]

I added a deploy script that copies the certificate to a location specific for my mailserver. That way you never need to worry about the permissions of /usr/local/etc/letsencrypt/live. I needed this anyway because certbot runs on the host and my mailserver in a jail.

It took me some fiddling to get those hook scripts working, in /usr/local/etc/letsencrypt/renewal-hooks/deploy I have a 02-exim.sh script:

#!/bin/sh

# the shell variable $RENEWED_LINEAGE will point to the
# config live subdirectory (for example,
# "/etc/letsencrypt/live/example.com") containing the
# new certificates and keys

# the shell variable $RENEWED_DOMAINS will contain
# a space-delimited list of renewed certificate domains
# (for example, "example.com www.example.com")

LE_BASE=/usr/local/etc/letsencrypt/live
SSL=/jails/mail/usr/local/etc/ssl

MAIL_RESTART=0

for CERT in $RENEWED_DOMAINS; do
  case $CERT in
    mail.example.com)  SSL_SET=1
                      MAIL_RESTART=1
                      JAIL=mail
                      ;;
    *)                SSL_SET=0
                      ;;
  esac

done

if [ $SSL_SET -eq 1 ]; then
  cat ${RENEWED_LINEAGE}/fullchain.pem > $SSL/certs/${RENEWED_DOMAINS%% *}.pem
  cat ${RENEWED_LINEAGE}/privkey.pem   > $SSL/private/${RENEWED_DOMAINS%% *}.pem
fi

if [ $MAIL_RESTART -eq 1 ]; then
  jexec $JAIL /usr/sbin/service exim reload
  jexec $JAIL /usr/sbin/service dovecot reload
fi