On 13. Aug 2020, at 11.29, Timo Sirainen <t...@sirainen.com> wrote: > > On 13. Aug 2020, at 11.00, Arjen de Korte <build+dove...@de-korte.org> wrote: >> >> I allow users to run 'doveadm' for mailbox maintenance (to expunge mail for >> instance). Since the upgrade to 2.3.11.3, this no longer works and results >> in the following error message: >> >> doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf >> line 13: ssl_key: Can't open file /etc/ssl/private/de-korte.org.key: >> Permission denied >> >> This is no surprise, as non-privileged users are not allowed to read the >> private keys of the server. Question is, why is doveadm trying to read this >> key in the first place (it is not needed for mailbox maintenance) and why is >> it failing now? > > There were some ssl setting handling cleanups in v2.3.11, which caused this. > I guess the proper fix for this would be to split SSL client settings and SSL > server settings. So doveadm would still read the SSL client settings without > trying to read the SSL server settings and failing there.
As a workaround, it should be possible to put the ssl_key into a separate config file and use !Include_try for it. For example in dovecot.conf: !include_try ssl-keys.conf
