Citeren Timo Sirainen <t...@sirainen.com>:
On 13. Aug 2020, at 11.29, Timo Sirainen <t...@sirainen.com> wrote:
On 13. Aug 2020, at 11.00, Arjen de Korte
<build+dove...@de-korte.org> wrote:
I allow users to run 'doveadm' for mailbox maintenance (to expunge
mail for instance). Since the upgrade to 2.3.11.3, this no longer
works and results in the following error message:
doveconf: Fatal: Error in configuration file
/etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file
/etc/ssl/private/de-korte.org.key: Permission denied
This is no surprise, as non-privileged users are not allowed to
read the private keys of the server. Question is, why is doveadm
trying to read this key in the first place (it is not needed for
mailbox maintenance) and why is it failing now?
There were some ssl setting handling cleanups in v2.3.11, which
caused this. I guess the proper fix for this would be to split SSL
client settings and SSL server settings. So doveadm would still
read the SSL client settings without trying to read the SSL server
settings and failing there.
As a workaround, it should be possible to put the ssl_key into a
separate config file and use !Include_try for it. For example in
dovecot.conf:
!include_try ssl-keys.conf
That will only work to include an optional configuration file and
suppress errors if it doesn't exist. I put
ssl_key = </etc/ssl/private/de-korte.org.key
in a separate configuration file and it failed in a similar fashion,
just with another filename.
