I checked from my backups, there was only a dovecot.pem (not a dovecot.key file there) from 4 years ago: => /bin/ls -lt etc/dovecot/private/total 4-rw------- 1 me me 1704 Jun 6 2013 dovecot.pem=> What happened with the install is that, without a matching dovecot.key file, dovecot cannot start.It's only functional if *** both *** dovecot.key and dovecot.pem are present, so if at least one of these is missing,the postinstall script has to take action, not just when both are missing. The postinstall script could easily issue a warning if it has to repair a partial setup, such as a missing dovecot.keybut an existing dovecot.pem. thanks,--jack
From: Apollon Oikonomopoulos <apoi...@debian.org> To: JS <jsh...@yahoo.com>; 867...@bugs.debian.org Sent: Monday, July 10, 2017 9:22 AM Subject: Re: Bug#867593: dovecot-core 1:2.2.31-1 upgrade does not have valid certs in /etc/dovecot/private Hi, On 01:51 Mon 10 Jul , JS wrote: > hello, > It's possible this is the problem in the post-install script (there was a > dovecot.key, only, in the directory, don't know where it came from): > > # SSL configuration # Use the ssl-cert-snakeoil certificate in the > following cases: # - On new installations # - On upgrades from versions > that did not enable SSL by default if [ -z "$2" ] || dpkg --compare-versions > "$2" lt "1:2.2.31-1~"; then if [ ! -e /etc/dovecot/private/dovecot.key ] > && \ ### only works if *** both > *** dovecot.key and dovecot.pem are missing [ ! -e > /etc/dovecot/private/dovecot.pem ]; then ln -s > /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/dovecot/private/dovecot.pem ln > -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/dovecot/private/dovecot.key > fi fi > > Perhaps this should have been:if [ ! -e /etc/dovecot/private/dovecot.key ] || > [ ! -e /etc/dovecot/private/dovecot.pem ] ### if *** either *** > dovecot.key OR dovecot.pem missing, create default symlinksthen /bin/mv > /etc/dovecot/private/dovecot.key /etc/dovecot/private/dovecot.key-OLD > 2>/dev/null || true /bin/mv /etc/dovecot/private/dovecot.pem > /etc/dovecot/private/dovecot.pem-OLD 2>/dev/null || true > # create *** both *** default symlinks: ln -s > /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/dovecot/private/dovecot.pem ln -s > /etc/ssl/private/ssl-cert-snakeoil.key /etc/dovecot/private/dovecot.keyfi > thanks,--jack I was trying to be conservative there, to make sure I will never overwrite key material that the sysadmin might have created. The mtime of dovecot.key would probably help, could you please provide that? Thanks, Apollon