Closed fredericmoulins closed 4 years ago
Yes, I noticed the same when running the playbooks myself. Since I am working on dovecot/postfix, I will add the fix in the branch before the pull request.
I found the cause of the issue and I am testing the resolution right now. Slightly increase performances as well...
Dovecot apparently still needs to access the LDAP fullchain certificates (not the private key) even in buster, due to its (open)ldap client configuration.
There was a
www-data
access remaining in mta-sts, and the user postfix doesn't seem to need access to the certificates or private key.This is not everything, since there is still the issue with openldap. The ldap role (and the calls to cert-perms) seems to do what's needed, but running the main playbook the mask of the private key seems to be reset at some point (to 0, giving an
effective: ---
for the user openldap).