BUG-Report: mysql: SSL support not compiled in (remove ssl_client_ca_file and ssl_client_ca_dir settings) third attempt!
Hello everyone,
Problem info:
An error occurs, while trying to establish a TLS/SSL secured
connection to a database (mariadb), which has the ability to accept
TLS/SSL connections.
Analysis from Archlinux Gitlab Issue, which could be found under
following link by - Toolybird:
https://gitlab.archlinux.org/archlinux/packaging/packages/dovecot/-/issues/1...
Thanks for reporting. It would appear to be some kind of (upstream?) bug in the autofoo. The error message can be traced back to HAVE_MYSQL_SSL being undefined when it should be defined. This is reflected in log:
https://reproducible.archlinux.org/api/v0/builds/946041/log
It took quite some debugging, but adding the following hack before the autoreconf call appears to make it work: checking for mysql_ssl_set in -llibmariadb... no sed -i 's/mysql_driver="libmariadb"/mysql_driver="mariadb"/' m4/ want_mysql.m4 After that it now shows: checking for mysql_ssl_set in -lmariadb... yes
Steps to reproduce:
- Configure dovecot 2.4.2-4 as described below
- Restart dovecot 2.4.2-4
- Try send an email (echo "Test-E-Mail" | /usr/sbin/sendmail root)
- Determine error messages inside dovecot 2.4.2-4-Log
01 Dec 22 04:57:38 server dovecot[842]: auth: Error:
mysql(db.idmz.tachtler.net): mysql: SSL support not compiled in
(remove ssl_client_ca_file and ssl_client_ca_dir settings) 02 Dec 22 04:57:38 server dovecot[842]: auth-worker: Error:
mysql(db.idmz.tachtler.net): mysql: SSL support not compiled in
(remove ssl_client_ca_file and ssl_client_ca_dir settings)
Additional info:
OS version: Archlinux package version(s): dovecot 2.4.2-4 necessary config file part:
45 sql_driver = mysql 46 47 mysql db.idmz.tachtler.net { 48 host = db.idmz.tachtler.net 49 port = 3306 50 user = postfixuser 51 password = secret 52 dbname = postfix 53 ssl = yes 54 ssl_client_ca_file = /etc/dovecot/ssl/certs/CAcert.pem 55 ssl_client_cert_file =
/etc/dovecot/ssl/certs/client.idmz.tachtler.net.pem 56 ssl_client_key_file =
/etc/dovecot/ssl/private/client.idmz.tachtler.net.key.pem 57 ssl_cipher_list = DHE-RSA-AES256-SHA 58 }
WITHOUT the following line, a database connections is possible and
works as expected:
53 ssl = yes 54 ssl_client_ca_file = /etc/dovecot/ssl/certs/CAcert.pem 55 ssl_client_cert_file =
/etc/dovecot/ssl/certs/client.idmz.tachtler.net.pem 56 ssl_client_key_file =
/etc/dovecot/ssl/private/client.idmz.tachtler.net.key.pem 57 ssl_cipher_list = DHE-RSA-AES256-SHA
Thanky you in advance for your help! Klaus Tachtler.
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
On 1. Apr 2026, at 10.23, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
An error occurs, while trying to establish a TLS/SSL secured connection to a database (mariadb), which has the ability to accept TLS/SSL connections.
..
It took quite some debugging, but adding the following hack before the autoreconf call appears to make it work: checking for mysql_ssl_set in -llibmariadb... no
Can you verify if the attached patch works?
Hi Timo,
I tried out the mariadb.patch you sent. While it fixed the original issue, BUT there is a problem with the configuration parameter:
ssl_client_key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
I hope there’s a solution to this problem as well.
Thank you in advance,
Best regards, Klaus.
On 4/1/26 14:32, Timo Sirainen wrote:
On 1. Apr 2026, at 10.23, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
An error occurs, while trying to establish a TLS/SSL secured connection to a database (mariadb), which has the ability to accept TLS/SSL connections.
..
It took quite some debugging, but adding the following hack before the autoreconf call appears to make it work: checking for mysql_ssl_set in -llibmariadb... no
Can you verify if the attached patch works?
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Timo,
One more thing — there are two additional WARNINGS inside the log:
dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:234 dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:231
Best regards, Klaus.
On 4/2/26 11:14, Klaus Tachtler via dovecot wrote:
Hi Timo,
I tried out the mariadb.patch you sent. While it fixed the original issue, BUT there is a problem with the configuration parameter:
ssl_client_key_file = /etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
I hope there’s a solution to this problem as well.
Thank you in advance,
Best regards, Klaus.
On 4/1/26 14:32, Timo Sirainen wrote:
On 1. Apr 2026, at 10.23, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
An error occurs, while trying to establish a TLS/SSL secured connection to a database (mariadb), which has the ability to accept TLS/SSL connections.
..
It took quite some debugging, but adding the following hack before the autoreconf call appears to make it work: checking for mysql_ssl_set in -llibmariadb... no
Can you verify if the attached patch works?
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
On 2. Apr 2026, at 12.14, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
ssl_client_key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
By default auth process runs as default_internal_user = dovecot user. Maybe mariadb library gives "not found" error instead of the correct "permission denied" error. Try changing its owner to dovecot, or setting service auth { user=root }
On 2. Apr 2026, at 12.33, Timo Sirainen via dovecot <dovecot@dovecot.org> wrote:
On 2. Apr 2026, at 12.14, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
ssl_client_key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
By default auth process runs as default_internal_user = dovecot user. Maybe mariadb library gives "not found" error instead of the correct "permission denied" error. Try changing its owner to dovecot, or setting service auth { user=root }
Oh, didn't read properly the ls -l line. Could it be the parent directories are not accessible to dovecot user?
As for:
dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:234 dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:231
I don't see how these can happen based on the code. What's your doveconf -n? Are you connecting to LMTP using SSL?
Hi Timo,
first of all, thank you for your patience.
Here is my directory structure with ownership and file permissions:
ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
ls -l /etc/dovecot/ssl/
total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
And my doveconf -n:
---- %< ----
doveconf -n
2.4.3 (e278b1e09b): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.3 (0bf9ee48)
OS: Linux 6.18.20-1-lts x86_64
Hostname: vml080.idmz.tachtler.net
dovecot_config_version = 2.4.3 acl_driver = vfile auth_master_user_separator = * auth_mechanisms = plain digest-md5 cram-md5 login auth_verbose = yes dovecot_storage_version = 2.4.3 listen = 127.0.0.1 10.0.0.80 ::1 fd00::10:10:0:0:80 mail_attachment_detection_options = mail_compress_write_method = zstd mail_driver = maildir mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename mail_log_fields = uid box msgid size vsize from mail_path = ~/Maildir mail_plugins { quota = yes quota_clone = yes mail_log = yes notify = yes mail_compress = yes acl = yes } protocols { imap = yes lmtp = yes sieve = yes } quota_storage_grace = 100M quota_storage_size = 1G sql_driver = mysql ssl = required ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM: ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 verbose_proctitle = yes service anvil { unix_listener anvil { user = vmail } } service dict { unix_listener dict { user = vmail } } service auth-worker { unix_listener auth-worker { user = vmail } } service indexer-worker { unix_listener indexer-worker { user = vmail } } passdb passwd-file { master = yes result_success = continue passwd_file_path = /etc/dovecot/master-users } mysql db.idmz.tachtler.net { dbname = postfixadmin password = # hidden, use -P to show it port = 3306 user = # hidden passdb sql { auth_username_format = %{user | lower} default_password_scheme = PLAIN query = SELECT username AS user, password, 10000 AS userdb_uid, 10000 as userdb_gid, CONCAT('/srv/vmail/', maildir) AS userdb_home, CONCAT(mailbox.quota, 'B') AS quota_storage_size FROM mailbox WHERE username = (SELECT COALESCE((SELECT goto FROM alias WHERE address = '%{user | lower}' AND active = 1), '%{user | lower}')) AND active = 1 } userdb sql { auth_username_format = %{user | lower} iterate_query = SELECT username AS user FROM mailbox WHERE active = 1 query = SELECT CONCAT('/srv/vmail/', maildir) AS home, 10000 AS uid, 10000 AS gid, CONCAT(mailbox.quota, 'B') AS quota_storage_size FROM mailbox, domain WHERE mailbox.username = (SELECT COALESCE((SELECT goto FROM alias WHERE address = '%{user | lower}' AND active = 1), '%{user | lower}')) AND mailbox.active = 1 AND domain.domain = '%{user | domain | lower}' AND domain.active = 1 } userdb prefetch { } namespace inbox { inbox = yes prefix = INBOX/ separator = / type = private mailbox Drafts { auto = subscribe special_use = "\\Drafts" } mailbox Junk { auto = subscribe special_use = "\\Junk" } mailbox Trash { auto = subscribe special_use = "\\Trash" quota_storage_extra = 100M quota_storage_percentage = 110 } mailbox Sent { auto = subscribe special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } namespace shared { mail_index_path = ~/shared/%{owner_user | lower } mail_index_private_path = ~/shared/%{owner_user | lower } mail_path = %{owner_home | lower }/Maildir list = children prefix = shared/$user/ separator = / subscriptions = no type = shared } service lmtp { user = vmail inet_listener lmtp { port = 24 ssl = yes listen = 10.0.0.80 fd00::10:10:0:0:80 } } service auth { group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } } ssl_server { cert_file = /etc/dovecot/ssl/certs/fullchain.tachtler.net.pem dh_file = /etc/dovecot/dh.pem key_file = /etc/dovecot/ssl/private/privkey.tachtler.net.pem } protocol imap { mail_max_userip_connections = 80 mail_plugins { imap_quota = yes } } protocol lmtp { auth_ssl_require_client_cert = yes mail_plugins { sieve = yes } ssl = required ssl_server { ca_file = /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem cert_file = /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem request_client_cert = yes require_crl = no } } service managesieve-login { inet_listener sieve { port = 4190 listen = 10.0.0.80 fd00::10:10:0:0:80 } } protocol sieve { mail_max_userip_connections = 80 } sieve_script personal { active_path = ~/.dovecot.sieve driver = file path = ~/sieve } acl_sharing_map { dict file { path = /var/lib/dovecot/db/shared-mailboxes.db } } quota user { driver = count quota_warning warn-95 { quota_storage_percentage = 95 execute quota-warning { args = 95 %{user} } } quota_warning warn-80 { quota_storage_percentage = 80 execute quota-warning { args = 80 %{user} } } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh user = vmail unix_listener quota-warning { user = vmail } } service quota-status { quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is over quota quota_status_success = DUNNO client_limit = 1 executable = quota-status -p postfix inet_listener postfix { port = 12340 listen = 10.0.0.80 fd00::10:10:0:0:80 } } service stats { unix_listener stats-reader { user = vmail } unix_listener stats-writer { user = vmail } } dict_server { dict mysql { driver = sql sql_driver = mysql dict_map priv/quota/messages { sql_table = quota2 username_field = username dict_map_value_field messages { } } dict_map priv/quota/storage { sql_table = quota2 username_field = username dict_map_value_field bytes { } } } } quota_clone { dict proxy { name = mysql } }
---- >% ----
Greetings Klaus.
On 4/2/26 11:38, Timo Sirainen wrote:
On 2. Apr 2026, at 12.33, Timo Sirainen via dovecot <dovecot@dovecot.org> wrote:
On 2. Apr 2026, at 12.14, Klaus Tachtler via dovecot <dovecot@dovecot.org> wrote:
ssl_client_key_file = /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
dovecot[9510]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: -280287320) - waiting for 1 seconds before retry
5 times inside the log.
However, the file does exist:
ls -la /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
I had already set the ownership to root:root, but the key file is still not found, even though it's definitely there.
By default auth process runs as default_internal_user = dovecot user. Maybe mariadb library gives "not found" error instead of the correct "permission denied" error. Try changing its owner to dovecot, or setting service auth { user=root }
Oh, didn't read properly the ls -l line. Could it be the parent directories are not accessible to dovecot user?
As for:
dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:234 dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:231
I don't see how these can happen based on the code. What's your doveconf -n? Are you connecting to LMTP using SSL?
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
On 2. Apr 2026, at 13.56, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
first of all, thank you for your patience.
Here is my directory structure with ownership and file permissions:
ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
ls -l /etc/dovecot/ssl/
total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
All looks ok, so I guess next step would be to try stracing auth process to see what is really happening:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/libexec/dovecot/auth }
And fix the auth binary path to whichever location it exists in. Then grep for wildcard.idmz.tachtler.net.key.pem in the auth.strace to see what happens to it.
dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:234 dovecot[9974]: lmtp(10078): Warning: Leaked settings: ssl-settings.c:231 I don't see how these can happen based on the code. What's your doveconf -n? Are you connecting to LMTP using SSL?
I tried with your lmtp/ssl settings, but still can't reproduce this. Do they keep happening all the time?
On 2. Apr 2026, at 13.56, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
first of all, thank you for your patience.
Here is my directory structure with ownership and file permissions:
==================================================================
# ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/
total 0
drwxr-xr-x 1 root root 204 Feb 27 09:55 certs
drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55
/etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55
/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pemAll looks ok, so I guess next step would be to try stracing auth process to see what is really happening: service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/libexec/dovecot/auth } And fix the auth binary path to whichever location it exists in. Then grep for wildcard.idmz.tachtler.net.key.pem in the auth.strace to see what happens to it.
dovecot[9974]: lmtp(10078): Warning: Leaked settings:
ssl-settings.c:234
dovecot[9974]: lmtp(10078): Warning: Leaked settings:
ssl-settings.c:231
I don't see how these can happen based on the code. What's your
doveconf -n? Are you connecting to LMTP using SSL?I tried with your lmtp/ssl settings, but still can't reproduce this. Do they keep happening all the time?
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
The problem is reproducable - but the E-Mail will be delivered?
---- %< (LOG) ----
Apr 02 11:58:24 vml080 systemd-journald[326]: [🡕] Suppressed 40184 messages from dovecot.service Apr 02 11:58:24 vml080 dovecot[5099]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 199028545) - waiting for 1 seconds before retry Apr 02 11:58:24 vml080 dovecot[5099]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 199028545) - waiting for 1 seconds before retry Apr 02 11:58:24 vml080 dovecot[5099]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 199028545) - waiting for 1 seconds before retry Apr 02 11:58:24 vml080 dovecot[5099]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 199028545) - waiting for 1 seconds before retry Apr 02 11:58:24 vml080 dovecot[5099]: auth: Error: mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 199028545) - waiting for 1 seconds before retry Apr 02 11:58:25 vml080 dovecot[5099]: imap-login: Logged in: user=<klaus@tachtler.net>, method=DIGEST-MD5, rip=fd00::10:10:0:0:80, lip=fd00::10:10:0:0:80, mpid=5129, TLS, session=<EFW9PXdOZL39AAAAAAAAEAAQAAAAAACA> Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(5134): Connect from 10.0.0.60 Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(klaus@tachtler.net)<5134><KKdaF+M9zmkOFAAAhuu2+w>: Mailbox INBOX: save: box=INBOX, uid=49391, msgid=<ac493KI1kS3UCRpS@vml080.idmz.tachtler.net>, size=4098, vsize=4180, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(klaus@tachtler.net)<5134><KKdaF+M9zmkOFAAAhuu2+w>: sieve: msgid=<ac493KI1kS3UCRpS@vml080.idmz.tachtler.net>: stored mail into mailbox 'INBOX' Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(5134): Disconnect from 10.0.0.60: Logged out (state=READY) Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(5134): Warning: Leaked settings: ssl-settings.c:234 Apr 02 11:58:59 vml080 dovecot[5099]: lmtp(5134): Warning: Leaked settings: ssl-settings.c:231 Apr 02 11:59:05 vml080 dovecot[5099]: imap(klaus@tachtler.net)<5129><EFW9PXdOZL39AAAAAAAAEAAQAAAAAACA>: Mailbox INBOX: delete: box=INBOX, uid=49390, msgid=<ac44b1fkCUAjgdVY@vml080.idmz.tachtler.net>, size=4105, vsize=4186, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 11:59:05 vml080 dovecot[5099]: imap(klaus@tachtler.net)<5129><EFW9PXdOZL39AAAAAAAAEAAQAAAAAACA>: Mailbox INBOX: expunge: box=INBOX, uid=49390, msgid=<ac44b1fkCUAjgdVY@vml080.idmz.tachtler.net>, size=4105, vsize=4186, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 11:59:05 vml080 dovecot[5099]: imap(klaus@tachtler.net)<5129><EFW9PXdOZL39AAAAAAAAEAAQAAAAAACA>: Disconnected: Logged out in=372 out=1772901 deleted=1 expunged=1 trashed=0 hdr_count=2551 hdr_bytes=1093571 body_count=0 body_bytes=0
---- >% (LOG) ----
Thank you!
Klaus.
On 4/2/26 13:20, Timo Sirainen wrote:
executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/libexec/ dovecot/auth
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd-something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3-dovecot.service-J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
---- <% ----
Here is my directory structure with ownership and file permissions:
==================================================================
# ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/
total 0
drwxr-xr-x 1 root root 204 Feb 27 09:55 certs
drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55
/etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55
/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pemThank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd-something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Maybe you have SELinux or something preventing the access? You could run service auth { user=root } if nothing else works.
On 2. Apr 2026, at 15.14, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3-dovecot.service-J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
---- <% ----
Here is my directory structure with ownership and file permissions: ================================================================== # ls -lad /etc/dovecot/ssl/ drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/ # ls -l /etc/dovecot/ssl/ total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private # ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem -r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem # ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem -r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pemThank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd-something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail : klaus@tachtler.net <mailto:klaus@tachtler.net> Homepage: https://www.tachtler.net <https://www.tachtler.net/> DokuWiki: https://dokuwiki.tachtler.net <https://dokuwiki.tachtler.net/>
Maybe you have SELinux or something preventing the access? You could run service auth { user=root } if nothing else works.
On 2. Apr 2026, at 15.14, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3-dovecot.service-J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD,
"/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem", O_RDONLY)
= -1 EACCES (Permission denied)
close(22)
---- <% ----
Here is my directory structure with ownership and file permissions:
==================================================================
# ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/
total 0
drwxr-xr-x 1 root root 204 Feb 27 09:55 certs
drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55
/etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 dovecot dovecot 1703 Feb 27 09:55
/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
Thank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth {
executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100
/usr/lib/dovecot/auth
group = vmail
user = vmail
inet_listener auth {
port = 12345
listen = 10.0.0.80 fd00::10:10:0:0:80
}
}
The problem is, no strace file will be written?
# ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under
/tmp/systemd-something/. Try find /tmp -name auth.strace or use some
other directory than /tmp.
--
---------------------------------------
e-Mail : [1]klaus@tachtler.net
Homepage: [2]https://www.tachtler.net
DokuWiki: [3]https://dokuwiki.tachtler.net
---------------------------------------References
Visible links
- mailto:klaus@tachtler.net
- https://www.tachtler.net/
- https://dokuwiki.tachtler.net/
Hi Timo,
this is a Archlinux test system without SELinux and without AppArmor.
Greetings Klaus.
On 4/2/26 14:23, Timo Sirainen wrote:
Maybe you have SELinux or something preventing the access? You could run service auth { user=root } if nothing else works.
On 2. Apr 2026, at 15.14, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3-dovecot.service- J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
---- <% ----
Here is my directory structure with ownership and file permissions: ==================================================================
# ls -lad /etc/dovecot/ssl/ drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/ total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem -r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem -r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
Thank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd- something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail :klaus@tachtler.net <mailto:klaus@tachtler.net> Homepage:https://www.tachtler.net <https://www.tachtler.net/> DokuWiki:https://dokuwiki.tachtler.net <https://dokuwiki.tachtler.net/>
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Timo,
next try - permission vmail:vmail to the key - works - BUT ERROR still in LOG file:
Here is my directory structure with ownership and file permissions:
==================================================================
# ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/
total 0
drwxr-xr-x 1 root root 204 Feb 27 09:55 certs
drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 vmail vmail 11627 Feb 27 09:55
/etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 vmail vmail 1703 Feb 27 09:55
/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem---- %< (STRACE) ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = 23 lseek(23, 0, SEEK_CUR) = 0 lseek(23, 0, SEEK_CUR) = 0 brk(0x5615e41d6000) = 0x5615e41d6000 lseek(23, 0, SEEK_CUR) = 0 lseek(23, 0, SEEK_CUR) = 0 fstat(23, {st_mode=S_IFREG|0400, st_size=1703, ...}) = 0 lseek(23, 0, SEEK_SET) = 0 read(23, "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkRF5N07iRZLw4\nUbXO8ah"..., 4096) = 1703 read(23, "", 4096) = 0 close(23)
---- >% (STRACE) ----
---- %< (LOG) ----
Apr 02 12:27:34 vml080 dovecot[5767]: imap-login: Logged in: user=<klaus@tachtler.net>, method=DIGEST-MD5, rip=fd00::10:10:0:0:80, lip=fd00::10:10:0:0:80, mpid=5862, TLS, session=<u4f5pXdO6qP9AAAAAAAAEAAQAAAAAACA> Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(5867): Connect from fd00::10:10:0:0:60 Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(klaus@tachtler.net)<5867><UGBJAcREzmnrFgAAhuu2+w>: Mailbox INBOX: save: box=INBOX, uid=49393, msgid=<ac5EvPLt4PIT2ohg@vml080.idmz.tachtler.net>, size=4116, vsize=4197, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(klaus@tachtler.net)<5867><UGBJAcREzmnrFgAAhuu2+w>: sieve: msgid=<ac5EvPLt4PIT2ohg@vml080.idmz.tachtler.net>: stored mail into mailbox 'INBOX' Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry
---- >% (LOG) ----
On 4/2/26 14:23, Timo Sirainen wrote:
Maybe you have SELinux or something preventing the access? You could run service auth { user=root } if nothing else works.
On 2. Apr 2026, at 15.14, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3-dovecot.service- J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
---- <% ----
Here is my directory structure with ownership and file permissions: ==================================================================
# ls -lad /etc/dovecot/ssl/ drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/ total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem -r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem -r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
Thank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd- something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail :klaus@tachtler.net <mailto:klaus@tachtler.net> Homepage:https://www.tachtler.net <https://www.tachtler.net/> DokuWiki:https://dokuwiki.tachtler.net <https://dokuwiki.tachtler.net/>
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Timo,
for next testing i change the file permission to
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r--r--r-- 1 vmail vmail 1703 Feb 27 09:55
/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pemand no connection error occurs - BUT - the Warnings are still present:
---- %< ----
Apr 02 12:50:32 vml080 dovecot[6490]: imap-login: Logged in: user=<klaus@tachtler.net>, method=DIGEST-MD5, rip=fd00::10:10:0:0:80, lip=fd00::10:10:0:0:80, mpid=6545, TLS, session=<hfkc+HdOHKn9AAAAAAAAEAAQAAAAAACA> Apr 02 12:51:06 vml080 dovecot[6490]: lmtp(6556): Connect from 10.0.0.60 Apr 02 12:51:06 vml080 dovecot[6490]: lmtp(klaus@tachtler.net)<6556><sNYwORpKzmmcGQAAhuu2+w>: Mailbox INBOX: save: box=INBOX, uid=49395, msgid=<ac5KE5mw1qwhm7_O@vml080.idmz.tachtler.net>, size=4103, vsize=4184, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 12:51:07 vml080 dovecot[6490]: lmtp(klaus@tachtler.net)<6556><sNYwORpKzmmcGQAAhuu2+w>: sieve: msgid=<ac5KE5mw1qwhm7_O@vml080.idmz.tachtler.net>: stored mail into mailbox 'INBOX' Apr 02 12:51:07 vml080 dovecot[6490]: lmtp(6556): Disconnect from 10.0.0.60: Logged out (state=READY) Apr 02 12:51:07 vml080 dovecot[6490]: lmtp(6556): Warning: Leaked settings: ssl-settings.c:234 Apr 02 12:51:07 vml080 dovecot[6490]: lmtp(6556): Warning: Leaked settings: ssl-settings.c:231
---- >% ----
Greetings Klaus.
On 4/2/26 14:33, Klaus Tachtler via dovecot wrote:
Hi Timo,
next try - permission vmail:vmail to the key - works - BUT ERROR still in LOG file:
Here is my directory structure with ownership and file permissions: ==================================================================
# ls -lad /etc/dovecot/ssl/ drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/ total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem -r--r--r-- 1 vmail vmail 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem -r-------- 1 vmail vmail 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
---- %< (STRACE) ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = 23 lseek(23, 0, SEEK_CUR) = 0 lseek(23, 0, SEEK_CUR) = 0 brk(0x5615e41d6000) = 0x5615e41d6000 lseek(23, 0, SEEK_CUR) = 0 lseek(23, 0, SEEK_CUR) = 0 fstat(23, {st_mode=S_IFREG|0400, st_size=1703, ...}) = 0 lseek(23, 0, SEEK_SET) = 0 read(23, "-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkRF5N07iRZLw4\nUbXO8ah"..., 4096) = 1703 read(23, "", 4096) = 0 close(23)
---- >% (STRACE) ----
---- %< (LOG) ----
Apr 02 12:27:34 vml080 dovecot[5767]: imap-login: Logged in: user=<klaus@tachtler.net>, method=DIGEST-MD5, rip=fd00::10:10:0:0:80, lip=fd00::10:10:0:0:80, mpid=5862, TLS, session=<u4f5pXdO6qP9AAAAAAAAEAAQAAAAAACA> Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(5867): Connect from fd00::10:10:0:0:60 Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(klaus@tachtler.net)<5867><UGBJAcREzmnrFgAAhuu2+w>: Mailbox INBOX: save: box=INBOX, uid=49393, msgid=<ac5EvPLt4PIT2ohg@vml080.idmz.tachtler.net>, size=4116, vsize=4197, from=Klaus Tachtler <klaus@tachtler.net> Apr 02 12:28:20 vml080 dovecot[5767]: lmtp(klaus@tachtler.net)<5867><UGBJAcREzmnrFgAAhuu2+w>: sieve: msgid=<ac5EvPLt4PIT2ohg@vml080.idmz.tachtler.net>: stored mail into mailbox 'INBOX' Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry Apr 02 12:28:20 vml080 dovecot[5767]: dict(5868): Error: mysql: dict(sql): mysql(db.idmz.tachtler.net): Connect failed to database (postfixadmin): File '/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem' not found (Errcode: 1294103494) - waiting for 1 seconds before retry
---- >% (LOG) ----
On 4/2/26 14:23, Timo Sirainen wrote:
Maybe you have SELinux or something preventing the access? You could run service auth { user=root } if nothing else works.
On 2. Apr 2026, at 15.14, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
sorry my fault, found the file inside systemd:
/tmp/systemd-private-ab22c74fcf994418a96bd0422a864ab3- dovecot.service- J0Z3EJ/tmp/auth.strace
---- %< ----
openat(AT_FDCWD, "/etc/dovecot/ssl/private/ wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
---- <% ----
Here is my directory structure with ownership and file permissions: ==================================================================
# ls -lad /etc/dovecot/ssl/ drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/ total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
# ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem -r--r--r-- 1 dovecot dovecot 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
# ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem -r-------- 1 dovecot dovecot 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
Thank you,
Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd- something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail :klaus@tachtler.net <mailto:klaus@tachtler.net> Homepage:https://www.tachtler.net <https://www.tachtler.net/> DokuWiki:https://dokuwiki.tachtler.net <https://dokuwiki.tachtler.net/>
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Timo, hi everyone,
I've finally figured out the final configuration for me:
Change the Ownership and file permissions for the SSL cert and key
Here is my directory structure with ownership and file permissions:
ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
ls -l /etc/dovecot/ssl/
total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
ls -l /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
-r--r--r-- 1 vmail vmail 11627 Feb 27 09:55 /etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem
ls -l /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
-r-------- 1 vmail vmail 1703 Feb 27 09:55 /etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem
Change the user for the dict service
---- %< ----
service dict { user = vmail # <-- This was IMPORTANT in my setup !!! unix_listener dict { user = vmail } }
---- %< ----
This allows me to establish an SSL-encrypted connection to MariaDB without receiving any error messages in the log.
The only things left are the two warning messages
---- %< ----
... dovecot[10936]: lmtp(11085): Warning: Leaked settings: ssl-settings.c:234 ... dovecot[10936]: lmtp(11085): Warning: Leaked settings: ssl-settings.c:231
---- %< ----
Thank you very much for your time and effort, and for your quick responses.
Greetings Klaus.
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Timo,
it seems, that the cert chain file could be read -
openat(AT_FDCWD, "/etc/dovecot/ssl/certs/wildcard.idmz.tachtler.net.chain.pem", O_RDONLY) = 23 fstat(23, {st_mode=S_IFREG|0444, st_size=11627, ...}) = 0 read(23, "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkjG9w0BAQEFAASCBKgrggSkAgEAAoIBAZDkRF5N07iRZLw4\nUbXO8ah"..., 4096) = 4096 read(23, " Identifier: \n 8C:4E:9B:BA:1E:03:14:67:34:F0:B8:30:FE:24:AC:B2:23:C7:45:30\n "..., 4096) = 4096 read(23, "9:e7:7d:33:df:d3:95:2c:4b:3b:7c:\n a3:fa:5e:3a:29:72:f7:92:8d:30:b2:8f:73:34:f7:\n "..., 4096) = 3435 read(23, "", 4096) = 0 close(23) = 0
openat(AT_FDCWD, "/etc/dovecot/ssl/private/wildcard.idmz.tachtler.net.key.pem", O_RDONLY) = -1 EACCES (Permission denied) close(22)
Greetings Klaus.
On 4/2/26 14:07, Timo Sirainen wrote:
On 2. Apr 2026, at 15.03, Klaus Tachtler <klaus@tachtler.net> wrote:
Hi Timo,
now I have:
service auth { executable = /usr/bin/strace -D -o /tmp/auth.strace -s 100 /usr/lib/dovecot/auth group = vmail user = vmail inet_listener auth { port = 12345 listen = 10.0.0.80 fd00::10:10:0:0:80 } }
The problem is, no strace file will be written?
ls -l /tmp/auth.strace
ls: cannot access '/tmp/auth.strace': No such file or directory
With systemd the /tmp directory is actually under /tmp/systemd-something/. Try find /tmp -name auth.strace or use some other directory than /tmp.
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
On Thu, 2026-04-02 at 12:56 +0200, Klaus Tachtler via dovecot wrote:
... Here is my directory structure with ownership and file permissions:
ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
ls -l /etc/dovecot/ssl/
total 0 drwxr-xr-x 1 root root 204 Feb 27 09:55 certs drwxr-xr-x 1 root root 116 Feb 27 09:55 private
Hi Klaus:
For completeness: What about directory permissions on /etc/dovecot (/etc and /). Just to confirm user dovecot has "x" on all parent dirs.
On Thu, 2026-04-02 at 12:56 +0200, Klaus Tachtler via dovecot wrote:
...
Here is my directory structure with ownership and file permissions:
==================================================================
# ls -lad /etc/dovecot/ssl/
drwxr-xr-x 1 root root 24 Feb 27 09:55 /etc/dovecot/ssl/
# ls -l /etc/dovecot/ssl/
total 0
drwxr-xr-x 1 root root 204 Feb 27 09:55 certs
drwxr-xr-x 1 root root 116 Feb 27 09:55 privateHi Klaus: For completeness: What about directory permissions on /etc/dovecot (/etc and /). Just to confirm user dovecot has "x" on all parent dirs.
participants (3)
-
Genes Lists
-
Klaus Tachtler
-
Timo Sirainen