the "*.pem" files are used by different programs. under my patch, the
"servercert.pem" file is only used by the qmail-smtpd program, which
runs as qmaild, which is a member of the "nofiles" group, which means
that "servercert.pem" needs to be owned by root, with the nofiles
group, and have permissions 0640... and the "clientcert.pem" file is
only used by qmail-remote, which runs as qmailr, which is a member of
the "qmail" group, so it should be owned by root, group qmail,
permissions 0640. which means that "clientcert.pem" should NOT be a
symlink to "servercert.pem". (this is one of the most common errors
that "qmailrocks" users make, because the brain-dead qmailrocks
scripts set things up this way.)
i would suggest you review which programs actually use these files,
figure out what userid they run under, and set their permissions
appropriately. and remember that these ".pem" files contain the
encryption keys which are used to secure the mail coming into or out
of your server- if they fall into the hands of the wrong process, you
could potentially lose the benefit of encrypting your connections.
----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1@jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------
Excellent! Thank you very much for that. I don't know why I hadn't
looked at the permissions on the .pem files. I'm in process of checking
those items now.
Dan
|