Arjen de Korte
2020-Aug-13 09:00 UTC
Doveadm error since 2.3.11.3 when run as unprivileged user
I allow users to run 'doveadm' for mailbox maintenance (to expunge mail for instance). Since the upgrade to 2.3.11.3, this no longer works and results in the following error message: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/de-korte.org.key: Permission denied This is no surprise, as non-privileged users are not allowed to read the private keys of the server. Question is, why is doveadm trying to read this key in the first place (it is not needed for mailbox maintenance) and why is it failing now? Regards, Arjen
Timo Sirainen
2020-Aug-13 09:29 UTC
Doveadm error since 2.3.11.3 when run as unprivileged user
On 13. Aug 2020, at 11.00, Arjen de Korte <build+dovecot at de-korte.org> wrote:> > I allow users to run 'doveadm' for mailbox maintenance (to expunge mail for instance). Since the upgrade to 2.3.11.3, this no longer works and results in the following error message: > > doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/de-korte.org.key: Permission denied > > This is no surprise, as non-privileged users are not allowed to read the private keys of the server. Question is, why is doveadm trying to read this key in the first place (it is not needed for mailbox maintenance) and why is it failing now?There were some ssl setting handling cleanups in v2.3.11, which caused this. I guess the proper fix for this would be to split SSL client settings and SSL server settings. So doveadm would still read the SSL client settings without trying to read the SSL server settings and failing there.
Timo Sirainen
2020-Aug-13 12:30 UTC
Doveadm error since 2.3.11.3 when run as unprivileged user
On 13. Aug 2020, at 11.29, Timo Sirainen <timo at sirainen.com> wrote:> > On 13. Aug 2020, at 11.00, Arjen de Korte <build+dovecot at de-korte.org> wrote: >> >> I allow users to run 'doveadm' for mailbox maintenance (to expunge mail for instance). Since the upgrade to 2.3.11.3, this no longer works and results in the following error message: >> >> doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/de-korte.org.key: Permission denied >> >> This is no surprise, as non-privileged users are not allowed to read the private keys of the server. Question is, why is doveadm trying to read this key in the first place (it is not needed for mailbox maintenance) and why is it failing now? > > There were some ssl setting handling cleanups in v2.3.11, which caused this. I guess the proper fix for this would be to split SSL client settings and SSL server settings. So doveadm would still read the SSL client settings without trying to read the SSL server settings and failing there.As a workaround, it should be possible to put the ssl_key into a separate config file and use !Include_try for it. For example in dovecot.conf: !include_try ssl-keys.conf
Reasonably Related Threads
- Doveadm error since 2.3.11.3 when run as unprivileged user
- Doveadm error since 2.3.11.3 when run as unprivileged user
- Doveadm error since 2.3.11.3 when run as unprivileged user
- Doveadm error since 2.3.11.3 when run as unprivileged user
- Doveadm error since 2.3.11.3 when run as unprivileged user