Package: dovecot-common Version: 1.0.rc15-2etch1 Severity: minor I thought at first this would be grave, but it fortunately isn't.
I have two separate cert files both based off the same key for
dovecot imap and pop:
protocol imap {
ssl_listen = *
ssl_cert_file = /etc/ssl/certs/imap.madduck.net.pem
ssl_key_file = /etc/ssl/private/seamus.madduck.net.key
}
protocol pop3 {
ssl_listen = *ยท
ssl_cert_file = /etc/ssl/certs/pop.madduck.net.pem
ssl_key_file = /etc/ssl/private/seamus.madduck.net.key
}
The postinst can't deal with that:
++ egrep -s '^[^#]*ssl_cert_file' /etc/dovecot/dovecot.conf
++ cut -d= -f2
+ SSL_CERT=' /etc/ssl/certs/imap.madduck.net.pem
/etc/ssl/certs/pop.madduck.net.pem'
...
+ '[' -f /etc/ssl/certs/imap.madduck.net.pem
/etc/ssl/certs/pop.madduck.net.pem ']'
/var/lib/dpkg/info/dovecot-common.postinst: line 28: [:
/etc/ssl/certs/imap.madduck.net.pem: binary operator expected
+ echo 'Creating generic self-signed certificate:
/etc/ssl/certs/imap.madduck.net.pem
/etc/ssl/certs/pop.madduck.net.pem'
So this would overwrite the existing certs. Fortunately, I was saved
by openssl:
+ openssl req -new -x509 -days 365 -nodes -out
/etc/ssl/certs/imap.madduck.net.pem /etc/ssl/certs/pop.madduck.net.pem -keyout
/etc/ssl/private/seamus.madduck.net.key /etc/ssl/private/seamus.madduck.net.key
+ echo 'Warning : Bad SSL config, can'\''t generate certificate'
So, nothing happened.
If you can't figure out how to handle multiple certs, be safe and
simply do nothing if more than one cert is present, as then it's
moderately safe to assume that the admin knows what s/he's doing.
Also, I'd really change the if statement. Now it creates self-signed
certs if the if is false, which may be the case if there's an error
(-f should actually not be true on symlinks). I suggest to revert it
such that certs are only created if
[ ! -e cert ] && [ ! -e key ]
else nothing happens.
Cheers,
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
