1)
With 2.4.1, when a non-root user runs sievec on their own sieve scripts it fails to run due to permission denied on the dovecot certificate key (which is only readable by root).
Specifically:
sievec active.sieve doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10- ssl.conf line 10: cert_file: open(/etc/.../fullchain.pem) failed: Permission denied
What is recommended way to deal with this?
Separate question: Might this explain why users sieve scripts are not running? I assume not as there are no 'sieve' items reported by lmtp in the logs.
Config has:
protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com }
sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve }
sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve }
sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
thanks.
-- Gene
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
1)
With 2.4.1, when a non-root user runs sievec on their own sieve scripts it fails to run due to permission denied on the dovecot certificate key (which is only readable by root).
protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com } sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve } sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve } sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I changed the cert permissions so that users can see the cert (but not the key file). Now sievec runs as non-root.
However, sieve does not get run using above configs for some reason.
Any guidance on what I need to change in my configs to get sieve working again - it was working fine under 2.3.x but after migrating server to 2.4.1 it is no longer. I assume I missed something in the migration but I don't see what I've done wrong.
thanks for help.
gene
-- Gene
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote: 1)
With 2.4.1, when a non-root user runs sievec on their own sieve
scripts
it fails to run due to permission denied on the dovecot certificate
key
(which is only readable by root).protocol lmtp { postmaster_address = postmaster@<domain>.com mail_plugins { sieve = yes } hostname = imap.<domain>.com } sieve_script before { driver = file path = /etc/dovecot/sieve/global active_path = remove_dup.sieve } sieve_script personal { driver = file path = ~/sieve active_path = ~/.dovecot.sieve } sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I changed the cert permissions so that users can see the cert (but not the key file). Now sievec runs as non-root.
However, sieve does not get run using above configs for some reason.
Any guidance on what I need to change in my configs to get sieve working again
- it was working fine under 2.3.x but after migrating server to 2.4.1 it is no longer. I assume I missed something in the migration but I don't see what I've done wrong.
thanks for help.
gene
-- Gene
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
... sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
g
-- Gene
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote: ... sieve_script after { driver = file path = /etc/dovecot/sieve active_path = default.sieve }
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
g
-- Gene
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
-- Gene
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote: On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from
default.sieve to
after.sieve.
I will know later, but looks like personal scripts might just
possibly be
working after that.
Not sure that makes any sense but ...
fingers crossed.I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
-- Gene
On June 30, 2025 1:44:44 PM GMT+02:00, Genes Lists via dovecot <dovecot@dovecot.org> wrote:
On Sun, 2025-06-29 at 16:25 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 15:04 -0400, Genes Lists via dovecot wrote:
On Sun, 2025-06-29 at 13:57 -0400, Genes Lists via dovecot wrote:
I am not yet sure, but I just renamed the "after" file from default.sieve to after.sieve. I will know later, but looks like personal scripts might just possibly be working after that.
Not sure that makes any sense but ...
fingers crossed.
I can confirm now that after renaming the "after" script file from default to something else - everything is running as usual.
The lesson I came away with:
1) do not use the filename 'default.sieve' for anything (other than possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
Regarding your point about the certificate, there has been some discussion lately. This one here comes to mind https://marc.info/?l=dovecot&m=175000552515204&w=2
-- Christian Kivalo
On Mon, 2025-06-30 at 14:41 +0200, Christian Kivalo via dovecot wrote:
... possibly a default script). 2) ensure that certificate file must readable by all users, otherwise sievec will fail for non-root.
Regarding your point about the certificate, there has been some discussion lately. This one here comes to mind https://marc.info/?l=dovecot&m=175000552515204&w=2
-- Christian Kivalo
Thank you - somehow I did not pay attention to that at the time. At least the error message makes it clear what the source of the problem is.
-- Gene
participants (2)
-
Christian Kivalo
-
Genes Lists