Doveadm error since 2.3.11.3 when run as unprivileged user - dovecot - dovecot.org

newer
2.3.11.3: dsync failure

Doveadm error since 2.3.11.3 when run as unprivileged user

older
User doesn't exist

Arjen de Korte

13 Aug 2020 13 Aug '20

noon

I allow users to run 'doveadm' for mailbox maintenance (to expunge
mail for instance). Since the upgrade to 2.3.11.3, this no longer
works and results in the following error message:

doveconf: Fatal: Error in configuration file
/etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file
/etc/ssl/private/de-korte.org.key: Permission denied

This is no surprise, as non-privileged users are not allowed to read
the private keys of the server. Question is, why is doveadm trying to
read this key in the first place (it is not needed for mailbox
maintenance) and why is it failing now?

Regards, Arjen

Reply

Sign in to reply online Use email software

Show replies by date

Timo Sirainen

13 Aug 13 Aug

12:29 p.m.

On 13. Aug 2020, at 11.00, Arjen de Korte <build+dovecot@de-korte.org> wrote:

There were some ssl setting handling cleanups in v2.3.11, which caused this. I guess the proper fix for this would be to split SSL client settings and SSL server settings. So doveadm would still read the SSL client settings without trying to read the SSL server settings and failing there.

Reply

Sign in to reply online Use email software

Timo Sirainen

3:30 p.m.

On 13. Aug 2020, at 11.29, Timo Sirainen <timo@sirainen.com> wrote:

As a workaround, it should be possible to put the ssl_key into a separate config file and use !Include_try for it. For example in dovecot.conf:

!include_try ssl-keys.conf

Reply

Sign in to reply online Use email software

Arjen de Korte

10:16 p.m.

Citeren Timo Sirainen <timo@sirainen.com>:

That will only work to include an optional configuration file and
suppress errors if it doesn't exist. I put

ssl_key = </etc/ssl/private/de-korte.org.key

in a separate configuration file and it failed in a similar fashion,
just with another filename.

Reply

Sign in to reply online Use email software

Josef 'Jeff' Sipek

10:38 p.m.

On Thu, Aug 13, 2020 at 21:16:42 +0200, Arjen de Korte wrote:

I think the idea was that the file with the ssl_key line was only root-readable. That way, non-privilged users will fail to include the file.

Is that what you tried?

Jeff.

-- I think there is a world market for maybe five computers. - Thomas Watson, chairman of IBM, 1943.

Reply

Sign in to reply online Use email software

Arjen de Korte

10:55 p.m.

Citeren Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com>:

No, but you put me on the right track.

What is needed is to !include_try the whole previous SSL configuration
file only for root and to precede this by an include for a new one
which disables SSL completely. So first SSL will be disabled for all
users (including root) and only for root, the SSL configuration will
be loaded after that.

Reply

Sign in to reply online Use email software

Dan Christensen

15 Aug 15 Aug

4:05 p.m.

On Aug 13, 2020, Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com> wrote:

This worked for me. As mentioned, I had to make the new .conf file readable only by root.

Dan

Reply

Sign in to reply online Use email software

1788

Age (days ago)

1790

Last active (days ago)

6 comments

4 participants

tags

participants (4)

Arjen de Korte
Dan Christensen
Josef 'Jeff' Sipek
Timo Sirainen