Hi,

I have a self signed certificate for dovecot:

[root@rakete] /etc/dovecot

ll

insgesamt 12K -rwxr-xr-x 1 root root 1,7K 2026-01-09@09:56 dovecot.conf -rw-r----- 1 root root 1,4K 2026-01-09@09:54 dovecot.crt -rw-r----- 1 root root 1,7K 2026-01-09@09:54 dovecot.key

in dovecot.conf I have:

ssl_server { cert_file = /etc/dovecot/dovecot.crt key_file = /etc/dovecot/dovecot.key }

This works fine for the evolution email client. But when I want to use dovecot-lda as part of my getmail6 config I get a permission denied:

getmail --rcfile dogado-rc -n -v

getmail version 6.19.10 Copyright (C) 1998-2025 Charles Cazabon and others. Licensed under GPL-2.0. SimpleIMAPSSLRetriever:bodenbinder_de_9@imap.dogado.net:993: Delivery error (command dovecot-lda 1510042 error (89, doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 51: cert_file: open(/etc/dovecot/dovecot.crt) failed: Permission denied)) [INBOX] msg 1/1 (1392 bytes), delivery error (command dovecot-lda 1510042 error (89, doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 51: cert_file: open(/etc/dovecot/dovecot.crt) failed: Permission denied)) 1 messages (1392 bytes) retrieved, 0 skipped

dogado-rc has this delivery section:

[destination] type = MDA_external path = /usr/lib/dovecot/dovecot-lda arguments = ("-d", "matthias")

When I change ownership of the certificate files it works:

chown root:matthias /etc/dovecot/dovecot.crt /etc/dovecot/dovecot.key

[root@rakete] /etc/dovecot

ll /etc/dovecot/dovecot.crt /etc/dovecot/dovecot.key

-rw-r----- 1 root matthias 1,4K 2026-01-09@09:54 /etc/dovecot/dovecot.crt -rw-r----- 1 root matthias 1,7K 2026-01-09@09:54 /etc/dovecot/dovecot.key

If I do not change permissions for dovecot.key I get a similar error for that file too.

But can this be the solution? That would mean that I need to give read access to the crt/key file to every user who wants to use dovecot-lda. Is that correct?

Matthias