Change Details

On the mail server, 4 applications interact with mail.nasqueron.org certificates, including private key: - acme.sh to generate and renew - nginx for HTTPS - dovecot for IMAPS and POPS - postfix for SMTP with STARTTLS While Postfix and nginx seems happy to read, Dovecot seems to read it after the privilege drop. In such scenario, it makes sense to share /var/certificates/mail.nasqueron.org among the mail group. The permissions and ownership of any /var/certificates subfolder can so: - regular case: acme:0 700 - shared group: acme:<group> 750 Finally, only postfix is added to the mail group during installation, so we explicitly need to set the list of users to include acme and dovecot. This change doesn't alter any nginx behavior: nginx will still read the private key as root before dropping privileges. Ref T2132 to allow Dovecot to read certificate Ref T2403 for /var/certificates management

On the mail server, 4 applications interact with mail.nasqueron.org certificates, including private key: - acme.sh to generate and renew - nginx for HTTPS - dovecot for IMAPS and POPS - postfix for SMTP with STARTTLS While Postfix and nginx seems happy to read, Dovecot seems to read it after the privilege drop. In such scenario, it makes sense to share /var/certificates/mail.nasqueron.org among the mail group. The permissions and ownership of any /var/certificates subfolder can so: - regular case: acme:0 700 - shared group: acme:<group> 750 Finally, only postfix is added to the mail group during installation, so we explicitly need to set the list of users to include acme and dovecot. This change doesn't alter any nginx behavior: nginx will still read the private key as root before dropping privileges. Ref T2132 to allow Dovecot to read certificate Ref T2043 for /var/certificates management

On the mail server, 4 applications interact with mail.nasqueron.org certificates, including private key: - acme.sh to generate and renew - nginx for HTTPS - dovecot for IMAPS and POPS - postfix for SMTP with STARTTLS While Postfix and nginx seems happy to read, Dovecot seems to read it after the privilege drop. In such scenario, it makes sense to share /var/certificates/mail.nasqueron.org among the mail group. The permissions and ownership of any /var/certificates subfolder can so: - regular case: acme:0 700 - shared group: acme:<group> 750 Finally, only postfix is added to the mail group during installation, so we explicitly need to set the list of users to include acme and dovecot. This change doesn't alter any nginx behavior: nginx will still read the private key as root before dropping privileges. Ref T2132 to allow Dovecot to read certificate Ref T240043 for /var/certificates management