doveadm/doveconf as user tries and fails to read host key

jimc jimc at
Tue Aug 25 02:48:23 EEST 2020

On 2020-08-23 21:59, Arjen de Korte wrote:
> Citeren jimc <jimc at>:
>> Failing version: dovecot23-  Install Date: 
>> 2020-08-18
> This was mentioned before on this list. See
> how to
> solve this.

@Arjen, thanks for the quick and useful reply.  I implemented it and it
works.  For explicitness here's what I did: In /etc/dovecot/conf.d I put
these 3 files, most comments redacted:

# Everyone gets the dummy config that turns off SSL
!include 10-ssl.all
# Only root can read this file (and the host key it mentions) (mode 600)
!include_try 10-ssl.root

ssl = no

10-ssl.root:  (owned by root, mode 600)
ssl = yes
ssl_key = </etc/ssl/private/hostw.key
# etc. etc.  This is the original SSL configuration.

For testing:
* Upgraded to dovecot23- and friends, and restarted
* doveadm expunge mailbox Spam37 savedbefore 3day
     As user: works.  strace shows doveconf silently skips 10-ssl.root,
     getting EACCESS.
* doveadm who
     My bad -- this command doesn't call doveconf, testing nothing.
* sleep 1 | openssl s_client -connect -starttls 
   --or-- sleep 1 | openssl s_client -connect
     Verify return code: 0 (ok) and TLS session ticket was granted for
     both.  Be careful to use the ports and hostname (IP) that the
     firewall is expecting.
* Normal use from Roundcube: connects and gets/deletes mail normally.
     TLS is required for this.

James F. Carter   Email: jimc at
Web: (q.v. for PGP key)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the dovecot mailing list