I am running Cyrus at a Debian 7 system. I want to increase security by only allowing specific services the access to the SSL private keys.
I created a group "ssl" which contains the users mysql,postfix and cyrus .
The process cyrus seems to run as user cyrus:
$ ps aux | grep cyrus
cyrus 1294 0.0 0.0 126256 8112 ? S 16:23 0:00 imapd -s -U 30
cyrus 1695 0.0 0.0 57036 3544 ? Ss Nov20 0:03 /usr/sbin/cyrmaster -d
cyrus 3656 0.0 0.0 83708 2408 ? S Nov20 0:00 notifyd
root 10779 0.0 0.0 11540 892 pts/1 S+ 21:12 0:00 grep cyrus
The private.key has chmod 640 and chown root:ssl . It is not encrypted.
The certificate.pem has chmod 640 and chown root:root .
When is run su cyrus
, I am able to read the private.key file, so the permissions should be OK.
When I try to to use my IMAP mailbox, cyrus reports that it does not have access to the private key:
$tail /var/log/syslog
Nov 21 20:13:47 debian cyrus/imaps[20647]: unable to get private key from '/daten/ssl/xxx/private.key'
Nov 21 20:13:47 debian cyrus/imaps[20647]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
Nov 21 20:13:47 debian cyrus/imaps[20647]: error initializing TLS
Nov 21 20:13:47 debian cyrus/imaps[20647]: Fatal error: tls_init() failed
A relevant part of /etc/imapd.conf :
tls_cert_file: /daten/ssl/xxx/certificate.pem
tls_key_file: /daten/ssl/xxx/private.key
tls_ca_file: /daten/ssl/ca/startcom/startcom.sub.class1.server.ca.crt
tls_ca_path: /daten/ssl/ca/startcom
When I change the chmod of private.key back to 644, it does work. Setting it to 640, and it doesn't work anymore.
What can I do to make cyrus work? Why doesn't the process running as cyrus get access to the private.key?