[debian-lan-devel] dovecot certificates (was: Installation report)

Andreas B. Mundt andi.mundt at web.de
Tue May 7 10:59:10 UTC 2013


Hi Jonas,

On Tue, May 07, 2013 at 10:20:22AM +0200, Jonas Smedegaard wrote:
> Quoting Andreas B. Mundt (2013-05-06 20:09:01)
> > We might to improve the certificate stuff some time, to make them
> > available on the clients also in icedove and iceweasel and perhaps
> > follow Jonas' recommendation.  Up to now I just replaced the dovecot
> > certificate that's created during installation with a certificate
> > including the 'mail.intern' alias.
>
> Sounds dangerous: The files handled by a package may be automatically
> changed by same package as well!
>
> I strongly urge you change strategy to not subvert package-owned files!

I guess this is no problem here, as the certs are not part of the package:

root at mainserver:/etc# dpkg -S /etc/dovecot/private/dovecot.pem
dpkg-query: no path found matching pattern /etc/dovecot/private/dovecot.pem
root at mainserver:/etc# dpkg -S /etc/dovecot/dovecot.pem
dpkg-query: no path found matching pattern /etc/dovecot/dovecot.pem

From:

root at mainserver:/etc# less /var/lib/dpkg/info/dovecot-core.postinst

[...]
  ## SSL Certs
  # Certs and key file
  OLD_SSL_CERT="/etc/ssl/certs/dovecot.pem"
  OLD_SSL_KEY="/etc/ssl/private/dovecot.pem"
  SSL_CERT="/etc/dovecot/dovecot.pem"
  SSL_KEY="/etc/dovecot/private/dovecot.pem"

  if [ ! -e /etc/dovecot/private ]; then
    install -d -o root -g root -m0700 /etc/dovecot/private
  fi

  if [ -e $OLD_SSL_CERT ] || [ -e $OLD_SSL_KEY ]; then
      echo "You already have ssl certs for dovecot."
      echo "However you should move them out of /etc/ssl"
      echo "and into /etc/dovecot and update the configuration"
      echo "in /etc/dovecot/conf.d/10-ssl.conf accordingly."
      echo "See /usr/share/doc/dovecot-core/README.Debian.gz for
      details."
  # Generate new certs if needed
  elif [ -e $SSL_CERT ] || [ -e $SSL_KEY ]; then
      echo "You already have ssl certs for dovecot."
  else
      echo "Creating generic self-signed certificate: $SSL_CERT"
      echo "This certificate will expire in 10 years."
      echo "(replace with hand-crafted or authorized one if needed)."
 [...]

And a related (lengthy) bug report:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608719#105

So for the time being, we leave it the way it is now?

Best regards,

     Andi



More information about the debian-lan-devel mailing list