Project

General

Profile

Issue #2254

OpenSMTPd key permission changes

Added by Denis 'GNUtoo' Carikli 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
05/24/2021
Due date:
% Done:

0%

Estimated time:
Hosting infrastructure:
VM @ FSF
Type of work:
System administration
#1

Updated by Denis 'GNUtoo' Carikli 4 months ago

After doing the workaround in bug #2253 we had key issues:

# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago
     Docs: man:smtpd(8)
  Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255)
  Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE)
 Main PID: 592 (code=exited, status=0/SUCCESS)

May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server...
May 24 09:17:37 replicantserver0 smtpd[2131]: warn:  /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr-----
May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'.
May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.

And looking at the keys:

# ls -la /etc/letsencrypt/live/mx1.replicant.us/privkey.pem
lrwxrwxrwx 1 root root 43 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/privkey.pem -> ../../archive/mx1.replicant.us/privkey4.pem

We had some permission issues:

# ls -la /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem -l
-rw-r--r-- 1 root root 1704 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem

So I also had to do a workaround:

#  chmod o-r /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem
# systemctl start opensmtpd

And the SMTP server started up again.

#2

Updated by Denis 'GNUtoo' Carikli 4 months ago

So like with bug #2253, we probably need to look into hooks.

To test if it works fine after a certbot renew we could use the following commands (which here shows how they are supposed to fail):

root@replicantserver0:~# systemctl restart opensmtpd
Job for opensmtpd.service failed because the control process exited with error code.
See "systemctl status opensmtpd.service" and "journalctl -xe" for details.
# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago
     Docs: man:smtpd(8)
  Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255)
  Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE)
 Main PID: 592 (code=exited, status=0/SUCCESS)

May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server...
May 24 09:17:37 replicantserver0 smtpd[2131]: warn:  /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr-----
May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'.
May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.

Also available in: Atom PDF