doveadm/doveconf as user tries and fails to read host key

Arjen de Korte build+dovecot at
Mon Aug 24 07:59:57 EEST 2020

Citeren jimc <jimc at>:

> Distro: OpenSuSE Tumbleweed for x86_64
> Failing version: dovecot23-  Install Date: 2020-08-18
> Reverting to previous version works: dovecot23-
> (Packages downgraded coordinately: dovecot23 dovecot23-backend-sqlite)
> How to make it fail: As the user, execute
>     doveadm expunge mailbox Spam37 savedbefore 3day #User's actual cmd
>     doveadm who #The simplest possible command, for testing
> It says:
>     doveconf: Fatal: Error in configuration file
>     /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert:
>     Can't open file /etc/ssl/hostcerts/hostw.cia: Permission denied

This was mentioned before on this list. See how to  
solve this.

> The actual EPERM occurs trying to traverse a directory in /etc/letsencrypt,
> but the next configuration item to be read (in the SSL section) is the
> host's private key, and the user is surely not ever going to get
> permission to read that.  (I did test giving the user permission to the
> 750 directory and it did attempt to read the private key, failing.)
> If you run it as root, of course it works because root has read permission.
> The initial failure was seen running as the user from cron.
> Behavior seen in strace: doveadm execs doveconf; doveconf reads the
> configuration and saves it somewhere (shared memory?); doveconf execs
> the next program which in this case is doveadm with its original command
> line; and doveadm now knows its configuration.  I can re-do and post
> the strace if needed.
> I don't know why doveconf is reading the SSL keys in when it
> didn't in, but if the idea is to read the complete
> configuration in case it might be needed in obscure situations, a
> possible workaround is to not die on unreadable secrets and to report
> those either as unset or as a new "error" symbol, letting the consumer
> (doveadm) deal with the fallout, or in this case ignore it.
> Attached: sysreport.gz ; doveconf-n.out
> Dovecot's working files and user mailboxes are on ext4 filesystems; NFS
> is not involved.
> The mail reader is Roundcube webmail.

More information about the dovecot mailing list