1

I've created a CST and private key pair, as said by StartSSL, for my postfix/dovecot Ubuntu 14.04 server, with:

openssl req -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr

On the passphrase prompt, I introduced (why not, right?) a password, instead of left the password blank to have a non-protected key.

After pasting the csr file to StartSSL, I received the corresponding certificate associated with the password protected file.

I've both Dovecot and Postfix using that certificate:

// /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/ssl/private/mychain.pem
smtpd_tls_key_file = /etc/ssl/private/mydomain.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

// /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/private/mychain.pem
ssl_key = </etc/ssl/private/mydomain.key

When doing test with checktls.com, I receive:

// other steps omited
749.-->STARTTLS\r\n
750.<--454 4.7.0 TLS not available due to local problem\r\n

And in my system log, the SMTP error, together with a dovecot error that, luckily, happen just that moment (some of my customer was trying to connect that moment I guess):

Oct 25 18:49:12 ns dovecot: pop3-login: Error: SSL private key file is password protected, but password isn't given
Oct 25 18:49:12 ns dovecot: pop3-login: Fatal: Couldn't parse private ssl_key: error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
Oct 25 18:49:12 ns dovecot: master: Error: service(pop3-login): command startup failed, throttling for 60 secs
Oct 25 18:49:16 ns postfix/smtpd[30437]: connect from www4.checktls.com[216.68.85.112]
Oct 25 18:49:17 ns postfix/smtpd[30437]: lost connection after UNKNOWN from www4.checktls.com[216.68.85.112]
Oct 25 18:49:17 ns postfix/cleanup[30461]: 93088330D956: message-id=<20161025164917.93088330D956@mydomain.com>
Oct 25 18:49:17 ns postfix/smtpd[30437]: disconnect from www4.checktls.com[216.68.85.112]

So, how can I make Postfix and Dovecot know the password, remove the password, or do I have to re-renew the certificate?

I prefer a solution to the first question (making them know the password), because its a new situation for me and so I learn something (perhaps I need to "register" the password of that key to some password-pool of the system?)

Jens Erat
  • 1,400
  • 2
  • 11
  • 26
Peregring-lk
  • 489
  • 5
  • 18

2 Answers2

2

Configurating Dovecot

You can configure Dovecot to unlock the key with the passphrase on startup. The SSL configuration Wiki page has a section on that:

SSL key files may be password protected. There are two ways to provide Dovecot with the password:

  1. Starting Dovecot with dovecot -p asks the password. It's not stored anywhere, so this method prevents Dovecot from starting automatically at startup.

  2. ssl_key_password setting. Note that dovecot.conf is by default world-readable, so you probably shouldn't place it there directly. Instead you could store it in a different file, such as /etc/dovecot-private.conf containing:

    ssl_key_password = secret

    and then use !include_try /etc/dovecot-private.conf in the main dovecot.conf.

Postfix Requires an Unencrypted Key

Postfix cannot deal with encrypted keys, so you have to provide an decrypted copy:

In order to use TLS, the Postfix SMTP server generally needs a certificate and a private key. Both must be in "PEM" format. The private key must not be encrypted, meaning: the key must be accessible without a password. [...]

Removing the Passphrase

Removing the passphrase is also easily achieved by running

openssl rsa -in encrypted-key.pem -out decrypted-key.pem

without entering a new passphrase when the key is exported again.

Jens Erat
  • 1,400
  • 2
  • 11
  • 26
0

You can also create an unencrypted key immediately with openssl. To get the key, csr & crt files, the commands would be

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Tim Chaubet
  • 101
  • 3