On 18/04/2023 02:03 EEST Paul Kroitor paul@kroitor.ca wrote:

Hello,

It seems from this thread at letsencrypt : https://community.letsencrypt.org/t/changing-permissions-for-pem-files/19656... (see especially second post from _az) that doveadm pw now parses all files in the config, even ones not relevant to the pw aspect of the request. If it’s not able to access all the files, it terminates prematurely with exit code 89.

The result, at least for anyone using letsencrypt / certbot, is that doveadm pw fatally fails unless run as root, because the config includes the private key, which has permissions 600 root root. This makes the dovecot pw functionality unusable for web apps that want to calculate a password hash using it (e.g. RoundCube’s password change feature).

My understanding is that dovecot only really needs the private key for its main functionality, when it’s running as root, and that there’s no reason doveadm pw, which should (presumably) often be run as a regular user, needs access to it.

Is this the intended behavior, or have I got something wrong?

Thanks for all help, Paul

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Hi!

This is a bug, but you can workaround it with

ssl=no !include_try ssl.conf

and put in ssl.conf

ssl=yes ssl_cert=

or try with 2.3.20.

Aki