1 Topic by 3n4rch3 (edited by 3n4rch3 2022-09-15 23:44:58)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Topic: Does iredadmin really need access to TLS privkey?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version: 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? D/L install
- Linux/BSD distribution name and version: Rocky Linux release 8.6 (Green Obsidian)
- Store mail accounts in which backend: LDAP
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? YES, iRedAdmin-Pro-LDAP-5.3
- Error message:
---
Sep 15 00:34:14 mail.domain.com iredadmin[15911]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 49: ssl_key: Can't open file /etc/pki/tls/private/iRedMail.key: Permission denied
---
====

I'm using LetsEncrypt certs, symlinked like so:

[root@mail:~#] namei -vm /etc/pki/tls/private/iRedMail.key
f: /etc/pki/tls/private/iRedMail.key
dr-xr-xr-x    /
drwxr-xr-x  etc
drwxr-xr-x  pki
drwxr-xr-x  tls
drwxr-xr-x  private
lrwxrwxrwx iRedMail.key -> /etc/letsencrypt/live/domain.com/privkey.pem
dr-xr-xr-x        /
drwxr-xr-x      etc
drwxr-xr-x      letsencrypt
drwxr-xr-x      live
drwxr-xr-x      domain.com
lrwxrwxrwx     privkey.pem -> ../../archive/domain.com/privkey7.pem
drwxr-xr-x           ..
drwxr-xr-x           ..
drwxr-xr-x           archive
drwxr-xr-x           domain.com
-rw-------              privkey7.pem

We have used it this way for many months (years?), although it has been a couple of months since I logged into the Pro panel. But now, I can no longer log in, although the credentials work for webmail login

iRedAdmin-Pro login _does_ work if I modify permissions on 'privkey7.pem' to 0644 (currently 0600, as they should be). Why does iredadmin user seem to need read access to the privkey, when postfix/dovecot/nginx/etc work fine as-is? I'm guessing it indicates a different config error, but i'm stumped on what to look for...

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by 3n4rch3

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

No ideas, anyone? neutral

3 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-20 16:14:47)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

According to dovecot, this is how they do it (and iRedAdmin reads from dovecot.conf):

Dovecot opens both of these files while still running as root, so you don’t need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file).

Apparently, iRedAdmin does not operate that way, at least not now (for me, that is). But I don't understand why, or what might have changed...

4 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-20 17:06:31)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

For the record, here are the actual (obfuscated) journal log lines:

Sep 20 04:45:09 mail.domain.com iredadmin[15911]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 49: ssl_key: Can't open file /etc/pki/tls/private/iRedMail.key: Permission denied
Sep 20 04:45:09 mail.domain.com uwsgi[15915]: iredadmin Web login failed: client_address=192.168.12.34, username=postmaster@domain.com (/opt/www/iRedAdmin-Pro-LDAP-5.3/controllers/ldap/basic.py, L89)
Sep 20 04:45:09 mail.domain.com uwsgi[15915]: iredadmin Login failed. admin=postmaster@domain.com, domain=, username=, event=login, ip=192.168.12.34 (/opt/www/iRedAdmin-Pro-LDAP-5.3/libs/logger.py, L79)
Sep 20 04:45:09 mail.domain.com iredadmin[15911]: [192.168.12.34] POST /iredadmin/login 303 243 "https://192.168.12.56:8081/iredadmin/lo … REDENTIALS"
Sep 20 04:45:09 mail.domain.com iredadmin[15911]: [192.168.12.34] GET /iredadmin/login?msg=INVALID_CREDENTIALS 200 5578 "https://192.168.12.56:8081/iredadmin/lo … REDENTIALS"

5 Reply by 3n4rch3

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

One more note: I have seen this post regarding iredadmin cert directory permission errors. In that case, either the file wasn't there, or directory permissions were wrong. This is not the same problem.

6 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-21 17:53:00)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

So...it seems that it is not changes in iRedAdmin-Pro code, and maybe also not in my configuration...

We have an "old" (i.e., unupgraded from CentOS8). Today I decided to begin the process of catching up on updates. When I started, I was able to log in to iRedAdmin-Pro (old version) just fine. By the time i finished and rebooted, although everything else is still functional, I have the SAME PROBLEM as our production server--can't log into iRM-Pro, with the same error shown in the log.

All I did was upgrade from (EOL'd) C8 to Rocky Linux. Does anybody else here use Rocky successfully? It's probably not Rocky per se, but rather other package upgrades (There were a lot, since (some?) C8 repos are no longer available).

Still looking...:-/

7 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-22 01:18:33)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

If uwsgi runs as user 'root' rather than as user 'iredadmin' (set in /opt/www/iredadmin/rc_scripts/uwsgi/rhel8.ini), the cert error disappears, although others take it's place.

This is obviously not the answer anyway, but seems it might be relevant...

Edit: After commenting 'metric' block in the dovecot.conf file, with uwsgi still running as root, iRA-Pro login works perfectly. There's got to be a better way than running as root...

8 Reply by 3n4rch3

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

I guess uWSGI is normally starting as user 'root' (iredadmin.pid is owned by root), then dropping to 'iredadmin'. Only later, on login, does it try to read certs (why?), and runs into problems.

IF it really needs to read certs, why is it not doing that before dropping privileges?

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Does iredadmin really need access to TLS privkey?

- iRedAdmin(-Pro) is running as "iredadmin" user by "uwsgi" program, it doesn't read ssl cert/key at all. Nginx proxies requests to uwsgi program, and Nginx handles the ssl traffic between http client, then proxy plain http traffic to uwsgi program.
- Dovecot, Postfix, Nginx use ssl cert/key files.

10 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-26 11:12:18)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

ZhangHuangbin wrote:

- iRedAdmin(-Pro) is running as "iredadmin" user by "uwsgi" program, it doesn't read ssl cert/key at all. Nginx proxies requests to uwsgi program, and Nginx handles the ssl traffic between http client, then proxy plain http traffic to uwsgi program.
- Dovecot, Postfix, Nginx use ssl cert/key files.

Thanks, that's how I thought it should be. But in my case, if I allow 'iredadmin' user to read the privkey, login succeeds. Otherwise it fails.

11 Reply by 3n4rch3 (edited by 3n4rch3 2022-09-27 00:04:55)

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

ZhangHuangbin wrote:

...then proxy plain http traffic to uwsgi program.

Is there any chance that uwsgi, on port 7791, could have gotten misconfigured somehow to require a secure connection?

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Does iredadmin really need access to TLS privkey?

- uwsgi doesn't use ssl cert/key files at all.
- as mentioned in early reply, Nginx handles https traffic, then proxies to uwsgi program without ssl.

13 Reply by 3n4rch3

  • 3n4rch3
  • Member
  • Offline
  • Registered: 2021-02-11
  • Posts: 28

Re: Does iredadmin really need access to TLS privkey?

ZhangHuangbin wrote:

- uwsgi doesn't use ssl cert/key files at all.
- as mentioned in early reply, Nginx handles https traffic, then proxies to uwsgi program without ssl.

Thanks, I heard you the first time. Why then, as I also mentioned earlier, does it make a difference if I grant read access to 'iredadmin' user (and thus, uwsgi) on the privkey?  This isn't a one-time fluke, I granted/un-granted several times, with the same result. It may be theoretically unrelated; but practically speaking there's more to the story.

That is what I'd really like to put my finger on.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Does iredadmin really need access to TLS privkey?

How to reproduce this issue with iRedAdmin? Does it trigger password generation? If yes, i guess it's related to Dovecot bug in between Dovecot 2.3.11 and 2.3.17:
https://github.com/dovecot/core/blob/2. … #L238-L240