dovecot - Oct 2020 - doveadm SSL problem with recent update

With a recent update, I started seeing this:

doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf
line 14: ssl_cert: Can't open file
/etc/letsencrypt/live/SERVER/fullchain.pem: Permission denied

1 4 * * *  vmail  /usr/bin/doveadm expunge -A mailbox MAILBOXINQUESTION
savedbefore 1w

is one of the crontab entries I am seeing this for.

Is there an option to keep doveadm from trying to use the ssl cert from that
configuration file? I do not want to have the vmail user having access to the
pem cert.

Thank you.
Trever

Citeren "Trever L. Adams" <trever at
middleearth.sapphiresunday.org>:
> With a recent update, I started seeing this:
>
> doveconf: Fatal: Error in configuration file  
> /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_cert: Can't open file  
> /etc/letsencrypt/live/SERVER/fullchain.pem: Permission denied
>
> 1 4 * * *  vmail  /usr/bin/doveadm expunge -A mailbox  
> MAILBOXINQUESTION savedbefore 1w
>
> is one of the crontab entries I am seeing this for.
>
> Is there an option to keep doveadm from trying to use the ssl cert  
> from that configuration file? I do not want to have the vmail user  
> having access to the pem cert.
Rename your existing 10-ssl.conf to 10-ssl.conf.ext and make it  
readable by root only. Now create a new 10-ssl.conf file with the  
following content:

   # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
   ssl = no

   !include_try 10-ssl.conf.ext

This will cause all non-root users to disable SSL and will only enable  
it when started as root.

On 10/25/20 6:02 AM, Arjen de Korte wrote:
>
> ? # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
> ? ssl = no
>
> ? !include_try 10-ssl.conf.ext 
Thank you very much. This did exactly what I needed.