1

I made a key with

sudo openssl req -new -x509 -nodes -out /etc/ssl/certs/imap.pem -keyout /etc/ssl/private/imap.key -days 365

and then I make chown cyrus /etc/ssl/certs/imap.pem and chown cyrus /etc/ssl/private/imap.key after I try to connect via Thunderbird to the Server, I can't log in to it. In the mail.err I found this:

May 27 08:31:55 evolutio cyrus/imaps[18343]: DBERROR: error exiting application: Invalid argument
May 27 08:31:55 evolutio cyrus/imaps[18344]: unable to get private key from '/etc/ssl/certs/imap.key'
May 27 08:31:55 evolutio cyrus/imaps[18344]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
May 27 08:31:55 evolutio cyrus/imaps[18344]: error initializing TLS
May 27 08:31:55 evolutio cyrus/imaps[18344]: Fatal error: tls_init() failed

in the imapd.conf I added this:

tls_cert_file: /etc/ssl/certs/imap.pem
tls_key_file: /etc/ssl/private/imap.key

How I can solve the problem?

Evolutio
  • 207
  • 1
  • 3
  • 10
  • with `openssl s_client -connect lars-dev.de:993` I get this error: `CONNECTED(00000003) 18802:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607: ` – Evolutio May 27 '13 at 06:59
  • Did you restart cyrus after editing the config? – etagenklo May 27 '13 at 08:34

1 Answers1

2

Check your imapd.conf for a false filepath to imap.key, you write that the directory is /etc/ssl/private/imap.key but in your logs cyrus search in /etc/ssl/certs/ for imap.key

After that the permissions to /etc/ssl/private are wrong so your cyrus can't access the key file.

kockiren
  • 886
  • 3
  • 14
  • 37
  • What is wrong with the `tls_key_file: /etc/ssl/private/imap.key` ? It is the right filepath. But why Cyrus try to search in /etc/ssl/certs? – Evolutio May 27 '13 at 07:40
  • maybe you has a old entry in your imapd.conf with the wrong file path. – kockiren May 27 '13 at 07:44
  • Can you look at my imapd.conf, please. here is the SSL/TLS part: http://pastebin.com/MXfdjtt7 – Evolutio May 27 '13 at 07:46
  • 2
    let us start a chat – kockiren May 27 '13 at 07:50
  • What should be the permissions for `/etc/ssl/certs/imap.key`? Making `imap.key` not owned by `root.root` is not secure. Apache and Postfix correctly load the key before dropping the privileges. – dma_k Nov 16 '14 at 16:45