[debian-lan-devel] dovecot certificates (was: Installation report)
Andreas B. Mundt
andi.mundt at web.de
Tue May 7 10:59:10 UTC 2013
Hi Jonas,
On Tue, May 07, 2013 at 10:20:22AM +0200, Jonas Smedegaard wrote:
> Quoting Andreas B. Mundt (2013-05-06 20:09:01)
> > We might to improve the certificate stuff some time, to make them
> > available on the clients also in icedove and iceweasel and perhaps
> > follow Jonas' recommendation. Up to now I just replaced the dovecot
> > certificate that's created during installation with a certificate
> > including the 'mail.intern' alias.
>
> Sounds dangerous: The files handled by a package may be automatically
> changed by same package as well!
>
> I strongly urge you change strategy to not subvert package-owned files!
I guess this is no problem here, as the certs are not part of the package:
root at mainserver:/etc# dpkg -S /etc/dovecot/private/dovecot.pem
dpkg-query: no path found matching pattern /etc/dovecot/private/dovecot.pem
root at mainserver:/etc# dpkg -S /etc/dovecot/dovecot.pem
dpkg-query: no path found matching pattern /etc/dovecot/dovecot.pem
From:
root at mainserver:/etc# less /var/lib/dpkg/info/dovecot-core.postinst
[...]
## SSL Certs
# Certs and key file
OLD_SSL_CERT="/etc/ssl/certs/dovecot.pem"
OLD_SSL_KEY="/etc/ssl/private/dovecot.pem"
SSL_CERT="/etc/dovecot/dovecot.pem"
SSL_KEY="/etc/dovecot/private/dovecot.pem"
if [ ! -e /etc/dovecot/private ]; then
install -d -o root -g root -m0700 /etc/dovecot/private
fi
if [ -e $OLD_SSL_CERT ] || [ -e $OLD_SSL_KEY ]; then
echo "You already have ssl certs for dovecot."
echo "However you should move them out of /etc/ssl"
echo "and into /etc/dovecot and update the configuration"
echo "in /etc/dovecot/conf.d/10-ssl.conf accordingly."
echo "See /usr/share/doc/dovecot-core/README.Debian.gz for
details."
# Generate new certs if needed
elif [ -e $SSL_CERT ] || [ -e $SSL_KEY ]; then
echo "You already have ssl certs for dovecot."
else
echo "Creating generic self-signed certificate: $SSL_CERT"
echo "This certificate will expire in 10 years."
echo "(replace with hand-crafted or authorized one if needed)."
[...]
And a related (lengthy) bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608719#105
So for the time being, we leave it the way it is now?
Best regards,
Andi
More information about the debian-lan-devel
mailing list