On the mail server, 4 applications interact with mail.nasqueron.org
certificates, including private key:
- acme.sh to generate and renew
- nginx for HTTPS
- dovecot for IMAPS and POPS
- postfix for SMTP with STARTTLS
While Postfix and nginx seems happy to read, Dovecot seems to read it
after the privilege drop. In such scenario, it makes sense to share
/var/certificates/mail.nasqueron.org among the mail group.
The permissions and ownership of any /var/certificates subfolder can so:
- regular case: acme:0 700
- shared group: acme:<group> 750
Finally, only postfix is added to the mail group during installation,
so we explicitly need to set the list of users to include acme and dovecot.
This change doesn't alter any nginx behavior: nginx will still read
the private key as root before dropping privileges.
Ref T2132 to allow Dovecot to read certificate
Ref T2403 for /var/certificates management