FS#68733 - [dovecot] doveadm not able to access certificates - permission error

Attached to Project: Community Packages
Opened by F_Heday (fheday) - Tuesday, 24 November 2020, 15:13 GMT
Last edited by Johannes Löthberg (demize) - Sunday, 06 December 2020, 20:54 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Johannes Löthberg (demize)
Thore Bödecker (foxxx0)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Can't login due to doveadm not able to access certificates.

If tested on the command line, I get:

# sudo -u postfix doveadm pw -s BLF-CRYPT -p test
doveconf: Fatal: Error in configuration file /etc/dovecot/ssl-keys.conf line 1: ssl_cert: Can't open file /etc/letsencrypt/live/xxxxxx.xxx/fullchain.pem: Permission denied

and as normal user:
doveadm pw -s BLF-CRYPT -p test
doveconf: Fatal: Error in configuration file /etc/dovecot/ssl-keys.conf line 1: ssl_cert: Can't open file /etc/letsencrypt/live/xxxxxx.xxx/fullchain.pem: Permission denied

I also find the same problem in the system logs.

here are my certificates directory:
# ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K Nov 9 00:03 .
drwxr-xr-x 3 root root 4.0K Dec 27 2019 ..
lrwxrwxrwx 1 root root 36 Nov 9 00:03 cert.pem -> ../../archive/xxxx.xxx/cert6.pem
lrwxrwxrwx 1 root root 37 Nov 9 00:03 chain.pem -> ../../archive/xxxx.xxx/chain6.pem
lrwxrwxrwx 1 root root 41 Nov 9 00:03 fullchain.pem -> ../../archive/xxxx.xxx/fullchain6.pem
lrwxrwxrwx 1 root root 39 Nov 9 00:03 privkey.pem -> ../../archive/xxxx.xxx/privkey6.pem
-rw-rw-rw- 1 root root 692 Dec 27 2019 README

I used to be able to run without any problems.

package version: community/postfixadmin 3.2.4-1

dovecot.conf:
protocols = imap sieve #pop3
auth_mechanisms = plain
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}

service auth {
unix_listener auth-client {
group = postfix
mode = 0660
user = postfix
}
user = root
}

mail_home = /home/vmail/%d/%n
mail_location = maildir:~

#ssl_cert = </etc/letsencrypt/live/xxxxx.xx/fullchain.pem
#ssl_key = </etc/letsencrypt/live/xxxxxx.xx/privkey.pem


### RSPAMD ###
protocol lmtp {
postmaster_address = postmaster@xxxx.xxx
mail_plugins = $mail_plugins sieve
}

protocol imap {
mail_plugins = $mail_plugins imap_quota imap_sieve quota
}

service managesieve-login {
inet_listener sieve {
port = 4190
}
}

service managesieve {
process_limit = 1024
}


plugin {
# sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve

imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve

imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve

sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
}
!include_try ssl-keys.conf

This task depends upon

Closed by  Johannes Löthberg (demize)
Sunday, 06 December 2020, 20:54 GMT
Reason for closing:  Not a bug
Additional comments about closing:  As specified in the error message, those users aren't allowed to read that file, so fix your permissions.

Loading...