Re: deliver fails because of a permission issue with SSL private key file

17 Feb 2026

      Am 17.02.26 um 16:38 schrieb Markus Schönhaber via dovecot:
...
17.02.26, 16:26 +0100, Aki Tuomi via dovecot:
...
This looks more like syntax error than permission error.
Then please tell me: what exactly is wrong syntax-wise?
And why is no syntax error reported but "Permission denied"?
And is the syntax error expected to go away, if I make the private key
file world readable?
Because if I do, delivery works fine.
...
Regards
mks
...
Aki
 On 17/02/2026 17:19 EET Markus Schoenhaber via dovecot
 &lt;[1]dovecot@dovecot.org> wrote:

 Hi,

 I'm trying to make Postfix hand incoming mail to Dovecot by using
 Dovecot's deliver. But this fails with a permission error:

   Feb 17 15:50:12 debian13-cont postfix/pipe[13133]: 171C17206:
   to=&lt;[2]recipient@dest.examle.org>, relay=dovecot, delay=0.17,
   delays=0.1/0/0/0.07, dsn=5.3.0, status=bounced (Command died with
   status 89: "/usr/lib/dovecot/deliver". Command output: doveconf:
   Fatal: Error in configuration file /etc/dovecot/certs.conf line 3:
   key_file: open(/etc/ssl/private/ssl-cert-snakeoil.key) failed:
   Permission denied )

 How can I solve this (short of making the private key file world
 readable, of course)?

 Regards
 mks

 I have this in Postfix' master.cf:

   dovecot unix - n n - - pipe
   flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
   ${sender} -a ${recipient} -d ${user}@${domain}

 # LANG=C id vmail
 uid=501(vmail) gid=501(vmail) groups=501(vmail),104(ssl-cert)

 # LANG=C ls -l /etc/ssl/private/
 total 4
 -rw-r----- 1 root ssl-cert 1704 Feb 4 17:15 ssl-cert-snakeoil.key

 # doveconf -n
 # 2.4.2-2+debian13 (0962ed2104): /etc/dovecot/dovecot.conf
 # Pigeonhole version 2.4.2-2+debian13 (767418c3)
 # OS: Linux 6.19.0-2-MANJARO x86_64 Debian 13.3 btrfs
 # Hostname: debian13-cont
 dovecot_config_version = 2.4.2
 dovecot_storage_version = 2.4.2
 log_debug = category=sql
 mail_driver = sdbox
 mail_gid = vmail
 mail_home = /var/spool/vmail/home/%{user | domain}/%{user | username}
 mail_path = /var/spool/vmail/mail/%{user | domain}/%{user | username}
 mail_plugins {
 quota = yes
 }
 mail_uid = vmail
 protocols = imap lmtp sieve
 sql_driver = mysql
 mysql localhost {
 dbname = postfixadmin
 password = # hidden, use -P to show it
 user = postfixadmin
 }
 passdb sql {
 query = SELECT 'vmail' AS userdb_uid, 'vmail' AS userdb_gid,
 CONCAT('/var/spool/vmail/home/', maildir) AS userdb_home, CONCAT(quota,
 'B') AS userdb_quota_storage_size, username AS user, password FROM
 mailbox WHERE username = '%{user}' AND active = '1';
 }
 userdb prefetch {
 }
 userdb sql {
 iterate_query = SELECT username AS user FROM mailbox WHERE active = '1';
 query = SELECT 'vmail' AS uid, 'vmail' AS gid,
 CONCAT('/var/spool/vmail/home/', maildir) AS home, CONCAT(quota, 'B') AS
 quota_storage_size, username AS user, password FROM mailbox WHERE
 username = '%{user}' AND active = '1';
 }
 namespace inbox {
 inbox = yes
 separator = /
 mailbox Drafts {
 special_use = "\\Drafts"
 }
 mailbox Entwuerfe {
 special_use = "\\Drafts"
 }
 mailbox Junk {
 special_use = "\\Junk"
 }
 mailbox Trash {
 special_use = "\\Trash"
 }
 mailbox "Geloeschte Objekte" {
 special_use = "\\Trash"
 }
 mailbox Sent {
 special_use = "\\Sent"
 }
 mailbox "Gesendete Objekte" {
 special_use = "\\Sent"
 }
 }
 service auth {
 inet_listener tcp_auth {
 port = 12345
 }
 unix_listener /var/spool/postfix/private/auth {
 group = postfix
 mode = 0666
 user = postfix
 }
 }
 service auth-worker {
 }
 ssl_server {
 cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 }
 protocol imap {
 mail_plugins {
 imap_quota = yes
 }
 }
 quota "User quota" {
 }
 dict_server {
 dict mysql {
 driver = sql
 sql_driver = mysql
 dict_map priv/quota/messages {
 sql_table = quota
 username_field = username
 dict_map_value_field messages {
 }
 }
 dict_map priv/quota/storage {
 sql_table = quota
 username_field = username
 dict_map_value_field bytes {
 }
 }
 }
 }
 quota_clone {
 dict proxy {
 name = mysql
 }
 }

 _______________________________________________
 dovecot mailing list -- [3]dovecot@dovecot.org
 To unsubscribe send an email to [4]dovecot-leave@dovecot.org
References
Visible links

mailto:dovecot@dovecot.org
mailto:recipient@dest.examle.org
mailto:dovecot@dovecot.org
mailto:dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org