http://bugzilla.opensuse.org/show_bug.cgi?id=1099764 http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c1 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chevy.stroker@yahoo.com Flags| |needinfo?(chevy.stroker@yah | |oo.com) --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- The dovecot profiles that need access to the certificates have #include <abstractions/ssl_keys> and that abstraction allows to read everyting in /etc/ssl/ ("/etc/ssl/** r,") so everything should work as expected. Do you have a "real" problem (breakage in dovecot or DENIED lines in /var/log/audit/audit.log), or did you only stumble over this after reading the dovecot profiles? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1099764 http://bugzilla.opensuse.org/show_bug.cgi?id=1099764#c3 --- Comment #3 from David Chewning <chevy.stroker@yahoo.com> --- OK, please remove the Apparmor part of this. If you want to close this report and have me resubmit please do. This is a dovecot issue if I understand the configuration correctly. Or I can edit the title. please advise. I will freely admit I created my own certificates for dovecot, and in the process fixed the original issue without being aware the README.SUSE was not clear/old. System: 1. Leap 42.3 KDE Desktop default install with a static IP. 2. Fully patched. 3. reboot 4. Install dovecot and let the packaging system install dependencies. 5. systemctl enable dovecot.service 6. Reboot and dovecot is happy Here is where things break and /usr/share/doc/packages/dovecot/README.SUSE seems to be incorrect. 1. Instructed to edit /usr/share/doc/packages/dovecot/dovecot-openssl.cnf - Completed. 2. Instructed to run /usr/share/doc/packages/dovecot/mkcert.sh - This is suppose to generate two files: /etc/ssl/private/dovecot.crt /etc/ssl/private/dovecot.pem Instead, only the .pem is generated which vary well could contain the certificate chain. 3. Instructed to edit /etc/dovecot/dovecot.conf and set ssl_disable = no. The actual file to edit is /etc/dovecot/conf.d/10-ssl.conf The variables to be uncomented and modified in 10-ssl.conf are: ssl = yes ssl_cert = </etc/ssl/private/dovecot.crt ssl_key = </etc/ssl/private/dovecot.key Note the last line was a .pem, but my self-signed cert/key were .crt/.key. I did not take the time to actually determine if the .pem certificate was actually a self-contained entire certificate chain. Once the documentation failed I generated the cert/key manually where I had control. So, it may very well work just uncommenting the two lines below and be secure: ssl = yes ssl_key = </etc/ssl/private/dovecot.pem The individuals complaining about a permission error seemed to be running up against an Apparrmor issue since they were placing their cert/key in /etc/postfix. On looking at Apparmor I did not find the reference to /etc/ss/private (my grep -R must have failed me). So, I created the directory /etc/dovecot/private and placed my cert/key there. How I generated the key is probably unimportant. Apologies for reporting the wrong issue, but there does appear to be a documented steps issue in /usr/share/doc/packages/dovecot/README.SUSE which maybe easier to fix. -- You are receiving this mail because: You are on the CC list for the bug.