Distro: OpenSuSE Tumbleweed for x86_64 Failing version: dovecot23-2.3.11.3-1.1.x86_64 Install Date: 2020-08-18 Reverting to previous version works: dovecot23-2.3.10.1-2.3.x86_64 (Packages downgraded coordinately: dovecot23 dovecot23-backend-sqlite)
How to make it fail: As the user, execute
doveadm expunge mailbox Spam37 savedbefore 3day #User's actual cmd
doveadm who #The simplest possible command, for testing
It says:
doveconf: Fatal: Error in configuration file
/etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert:
Can't open file /etc/ssl/hostcerts/hostw.cia: Permission denied
The actual EPERM occurs trying to traverse a directory in
/etc/letsencrypt,
but the next configuration item to be read (in the SSL section) is the host's private key, and the user is surely not ever going to get permission to read that. (I did test giving the user permission to the 750 directory and it did attempt to read the private key, failing.)If you run it as root, of course it works because root has read permission.
The initial failure was seen running as the user from cron. Behavior seen in strace: doveadm execs doveconf; doveconf reads the configuration and saves it somewhere (shared memory?); doveconf execs the next program which in this case is doveadm with its original command line; and doveadm now knows its configuration. I can re-do and post the strace if needed. I don't know why doveconf is reading the SSL keys in 2.3.11.3 when it didn't in 2.3.10.1, but if the idea is to read the complete configuration in case it might be needed in obscure situations, a possible workaround is to not die on unreadable secrets and to report those either as unset or as a new "error" symbol, letting the consumer (doveadm) deal with the fallout, or in this case ignore it. Attached: sysreport.gz ; doveconf-n.out Dovecot's working files and user mailboxes are on ext4 filesystems; NFS is not involved. The mail reader is Roundcube webmail. -- James F. Carter Email: [email protected] Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)
sysreport.gz
Description: application/gzip
# 2.3.11.3 (502c39af9): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.11 (d71e0372)
# OS: Linux 5.6.12-1-default x86_64
# Hostname: jacinth.cft.ca.us
auth_cache_size = 1 M
auth_master_user_separator = *
auth_mechanisms = plain login gssapi
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:~/Maildir
mail_plugin_dir = /usr/lib/dovecot/modules
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = .
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passwd.master
driver = passwd-file
master = yes
}
passdb {
args = cache_key=#hidden_use-P_to_show# dovecot
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = [email protected]
service stats {
unix_listener stats-writer {
mode = 0666
}
}
ssl_cert = </etc/ssl/hostcerts/hostw.cia
ssl_cipher_list = DEFAULT:+aRSA:+SHA:!aNULL:!DES:!3DES:!RC4:!MD5:!PSK:!DSS:!CAMELLIA:!SEED:!SRP:!AES256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = blocking=yes
driver = passwd
}
protocol imap {
imap_idle_notify_interval = 29 mins
}
signature.asc
Description: OpenPGP digital signature
