1)
With 2.4.1, when a non-root user runs sievec on their own sieve scripts it fails to run due to permission denied on the dovecot certificate key (which is only readable by root).
Specifically:
sievec active.sieve doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10- ssl.conf line 10: cert_file: open(/etc/.../fullchain.pem) failed: Permission denied
What is recommended way to deal with this?
Separate question: Might this explain why users sieve scripts are not running? I assume not as there are no 'sieve' items reported by lmtp in the logs.
Config has:
protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com }
sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve }
sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve }
sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
thanks.
-- Gene
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
1)
With 2.4.1, when a non-root user runs sievec on their own sieve scripts it fails to run due to permission denied on the dovecot certificate key (which is only readable by root).
protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com } sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve } sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve } sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I changed the cert permissions so that users can see the cert (but not the key file). Now sievec runs as non-root.
However, sieve does not get run using above configs for some reason.
Any guidance on what I need to change in my configs to get sieve working again - it was working fine under 2.3.x but after migrating server to 2.4.1 it is no longer. I assume I missed something in the migration but I don't see what I've done wrong.
thanks for help.
gene
-- Gene
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote: 1)
With 2.4.1, when a non-root user runs sievec on their own sieve
scripts
it fails to run due to permission denied on the dovecot certificate
key
(which is only readable by root).
protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com } sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve } sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve } sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I changed the cert permissions so that users can see the cert (but not the key file). Now sievec runs as non-root.
However, sieve does not get run using above configs for some reason.
Any guidance on what I need to change in my configs to get sieve working again
- it was working fine under 2.3.x but after migrating server to 2.4.1 it is no longer. I assume I missed something in the migration but I don't see what I've done wrong.
thanks for help.
gene
-- Gene
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
... sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
g
-- Gene
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote: ... sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
g
-- Gene
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
-- Gene
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from
default.sieve to
after.sieve.
I will know later, but looks like personal scripts might just
possibly be
working after that.
Not sure that makes any sense but ...
fingers crossed.
I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
-- Gene
On June 30, 2025 1:44:44 PM GMT+02:00, Genes Lists via dovecot <dovecot@dovecot.org> wrote:
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
Regarding your point about the certificate, there has been some discussion lately. This one here comes to mind https://marc.info/?l=dovecot&m=175000552515204&w=2
-- Christian Kivalo
On Mon, 2025-06-30 at 14:41 +0200, Christian Kivalo via dovecot wrote:
... possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
Regarding your point about the certificate, there has been some discussion lately. This one here comes to mind https://marc.info/?l=dovecot&m=175000552515204&w=2
-- Christian Kivalo
Thank you - somehow I did not pay attention to that at the time. At least the error message makes it clear what the source of the problem is.
-- Gene
participants (2)
-
Christian Kivalo
-
Genes Lists