external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-22 02:17:26 +00:00
Code Issues Releases Wiki Activity

Protect private key from being world-readable

Browse Source 
Postfix, Dovecot, and nginx all read the key file while they're running
as root — before dropping permissions — so no authorization is needed on
the private key file beyond being root-readable.
This commit is contained in:
Michael Kropat 2014-06-07 19:40:50 -04:00
parent 3fa8e384d4
commit 42bf624045
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
setup/mail.sh
View File

@ -217,11 +217,12 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
# SSL CERTIFICATE # SSL CERTIFICATE
mkdir -p $STORAGE_ROOT/ssl mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
# Generate a new private key if one doesn't already exist. # Generate a new private key if one doesn't already exist.
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048 # Set the umask so the key file is not world-readable.
(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
fi fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
# Generate a certificate signing request if one doesn't already exist. # Generate a certificate signing request if one doesn't already exist.