For example in /etc/postfix/main.cf
:
smtpd_tls_cert_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz
.crt
smtp_tls_cert_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.
crt
smtpd_tls_key_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.
key
smtp_tls_key_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.k
ey
Which works fine except that I am enabling SELinux for, you know, security, and the key files are in a different security context than the mail server or other services that I would want to share the key with, and with SELinux in enforcing mode, postfix will no longer be able to access the keys.
----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:253): avc: denied { read } for pid=1933 comm="smtpd" name="blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:254): avc: denied { open } for pid=1933 comm="smtpd" path="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:255): avc: denied { getattr } for pid=1933 comm="smtpd" path="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
It would not be a problem to run certbot certonly
to obtain certificates, but caddy is already binding port 80
As this user has already found.
EDIT: there are other tools to set security context.
# semanage fcontext ...
Labeling problems
A common cause of labeling problems is when a non-standard directory is used for a service…