Hi Timo,
first of all, thank you for your patience.
Here is my directory structure with ownership and file permissions:
ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
ls -l /etc/dovecot/ssl/
total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
And my doveconf -n:
---- %< ----
doveconf -n
2.4.3 (e278b1e09b): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.3 (0bf9ee48)
OS: Linux 6.18.20-1-lts x86_64
Hostname: vml080.idmz.tachtler.net
dovecot_config_version = 2.4.3 acl_driver = vfile auth_master_user_separator = * auth_mechanisms = plain digest-md5 cram-md5 login auth_verbose = yes dovecot_storage_version = 2.4.3 listen = 127.0.0.1 10.0.0.80 ::1 fd00::10:10:0:0:80 mail_attachment_detection_options = mail_compress_write_method = zstd mail_driver = maildir mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename mail_log_fields = uid box msgid size vsize from mail_path = ~/Maildir mail_plugins { quota = yes quota_clone = yes mail_log = yes notify = yes mail_compress = yes acl = yes } protocols { imap = yes lmtp = yes sieve = yes } quota_storage_grace = 100M quota_storage_size = 1G sql_driver = mysql ssl = required ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM: ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 verbose_proctitle = yes service anvil { unix_listener anvil { user = vmail } } service dict { unix_listener dict { user = vmail } } service auth-worker { unix_listener auth-worker { user = vmail } } service indexer-worker { unix_listener indexer-worker { user = vmail } } passdb passwd-file { master = yes result_success = continue passwd_file_path = /etc/dovecot/master-users } mysql db.idmz.tachtler.net { dbname = postfixadmin password = # hidden, use -P to show it port = 3306 user = # hidden passdb sql { auth_username_format = %{user | lower} default_password_scheme = PLAIN query = SELECT username AS user, password, 10000 AS userdb_uid, 10000 as userdb_gid, CONCAT('/srv/vmail/', maildir) AS userdb_home, CONCAT(mailbox.quota, 'B') AS quota_storage_size FROM mailbox WHERE username = (SELECT COALESCE((SELECT goto FROM alias WHERE address = '%{user | lower}' AND active = 1), '%{user | lower}')) AND active = 1 } userdb sql { auth_username_format = %{user | lower} iterate_query = SELECT username AS user FROM mailbox WHERE active = 1 query = SELECT CONCAT('/srv/vmail/', maildir) AS home, 10000 AS uid, 10000 AS gid, CONCAT(mailbox.quota, 'B') AS quota_storage_size FROM mailbox, domain WHERE mailbox.username = (SELECT COALESCE((SELECT goto FROM alias WHERE address = '%{user | lower}' AND active = 1), '%{user | lower}')) AND mailbox.active = 1 AND domain.domain = '%{user | domain | lower}' AND domain.active = 1 } userdb prefetch { } namespace inbox { inbox = yes prefix = INBOX/ separator = / type = private mailbox Drafts { auto = subscribe special_use = "\\Drafts" } mailbox Junk { auto = subscribe special_use = "\\Junk" } mailbox Trash { auto = subscribe special_use = "\\Trash" quota_storage_extra = 100M quota_storage_percentage = 110 } mailbox Sent { auto = subscribe special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } namespace shared { mail_index_path = ~/shared/%{owner_user | lower } mail_index_private_path = ~/shared/%{owner_user | lower } mail_path = %{owner_home | lower }/Maildir list = children prefix = shared/$user/ separator = / subscriptions = no type = shared } service lmtp { user = vmail inet_listener lmtp { port = 24 ssl = yes listen = 10.0.0.80 fd00::10:10:0:0:80 } } service auth { group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } } ssl_server { cert_file = /etc/dovecot/ssl/certs/fullchain.tachtler.net.pem dh_file = /etc/dovecot/dh.pem key_file = /etc/dovecot/ssl/private/privkey.tachtler.net.pem } protocol imap { mail_max_userip_connections = 80 mail_plugins { imap_quota = yes } } protocol lmtp { auth_ssl_require_client_cert = yes mail_plugins { sieve = yes } ssl = required ssl_server { ca_file = /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem cert_file = /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem request_client_cert = yes require_crl = no } } service managesieve-login { inet_listener sieve { port = 4190 listen = 10.0.0.80 fd00::10:10:0:0:80 } } protocol sieve { mail_max_userip_connections = 80 } sieve_script personal { active_path = ~/.dovecot.sieve driver = file path = ~/sieve } acl_sharing_map { dict file { path = /var/lib/dovecot/db/shared-mailboxes.db } } quota user { driver = count quota_warning warn-95 { quota_storage_percentage = 95 execute quota-warning { args = 95 %{user} } } quota_warning warn-80 { quota_storage_percentage = 80 execute quota-warning { args = 80 %{user} } } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh user = vmail unix_listener quota-warning { user = vmail } } service quota-status { quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is over quota quota_status_success = DUNNO client_limit = 1 executable = quota-status -p postfix inet_listener postfix { port = 12340 listen = 10.0.0.80 fd00::10:10:0:0:80 } } service stats { unix_listener stats-reader { user = vmail } unix_listener stats-writer { user = vmail } } dict_server { dict mysql { driver = sql sql_driver = mysql dict_map priv/quota/messages { sql_table = quota2 username_field = username dict_map_value_field messages { } } dict_map priv/quota/storage { sql_table = quota2 username_field = username dict_map_value_field bytes { } } } } quota_clone { dict proxy { name = mysql } }
---- >% ----
Greetings Klaus.
On 4/2/26 11:38, Timo Sirainen wrote:
On 2. Apr 2026, at 12.33, Timo Sirainen via dovecot <dovecot@dovecot.org> wrote:
On 2. Apr 2026, at 12.14, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
ssl_client_key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
By default auth process runs as default_internal_user = dovecot user. Maybe mariadb library gives "not found" error instead of the correct "permission denied" error. Try changing its owner to dovecot, or setting service auth { user=root }
Oh, didn't read properly the ls -l line. Could it be the parent directories are not accessible to dovecot user?
As for:
dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:234 dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:231
I don't see how these can happen based on the code. What's your doveconf -n? Are you connecting to LMTP using SSL?
--