Dovecot doesn't like the smtpd.cert file for some reason.

I found this question previously posted by regcom but unfortunately it appears he never got a reply. I am facing the exact same issue so will repost his question. I am running on OpenSuSE Leap 42.3 x64 bit system.

I used the tutorial "The Perfect Server - OpenSUSE 13.1 x86_64 (Apache2, MySQL, PHP, Postfix, Dovecot and ISPConfig 3)."
Opening the ISPConfig monitor I found that the IMAP and POP3 services are not active.
I tried to start dovecot but I get the following error message:
"doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 7: ssl_cert: /etc/postfix/smtpd.cert Can not open file: Permission denied"

Till requested the output from a ls command, here is what I got -

bigbang:/etc/postfix # ls -la /etc/postfix/smtpd.cert
-rw-r--r-- 1 root root 1424 Jun 16 16:04 /etc/postfix/smtpd.cert

I tried doing a chmod 0777 smtpd.cert, just for grins, but no joy. Any ideas?

 

What is in dovecot.conf at line 7? Can you show first 10 lines of dovecot.conf?

 

Sure can -

listen = *,[::]
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}

 

What are the permission on directory /etc/dovecot? Should be

Code:

# ls -ldh /etc/dovecot/
drwxr-xr-x 4 root root 4,0K joulu  8  2017 /etc/dovecot/

 

ls -ldh dovecot
drwxr-xr-x 3 root root 4.0K Jun 16 16:31 dovecot

 

My mistake, should have been /etc/postfix, there the permission was denied.
Also, are you using Selinux? Or used chattr?

 

ls -ldh postfix
drwxr-xr-x 5 root root 4.0K Jun 16 16:19 postfix

No not using Selinux afaik, this is on a basic OpenSuSE Leap 42.3 system. I use chmod to change file attributes, never used chattr though I see it is installed on my system...

 

That permission denied is strange, every user should be able to read that file.
How are you starting dovecot? Try debugging it, if it is systemd you use on that OpenSUSE try googling for systemd debugging. I suspect the problem is not permissions on that file, but something else entirely.

 

dovecot --version
2.2.31 (65cde28)

 

If I start dovecot manually from a command line I give this command -
systemctl start dovecot.service
or
systemctl restart dovecot.service

The dovecot.service file is configured as -

bigbang:/usr/lib/systemd/system # cat dovecot.service
[Unit]
Description=Dovecot IMAP/POP3 email server
After=local-fs.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/dovecot -F
ExecReload=/usr/bin/doveadm reload
NonBlocking=yes

[Install]
WantedBy=multi-user.target

 

more smtpd.cert
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJALu8c2HB+WS6MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjESMBAGA1UEBwwJV2FzaG91Z2Fs
MRMwEQYDVQQKDApDaGFtYmVybGluMRgwFgYDVQQDDA9NYXJjIENoYW1iZXJsaW4x
...

 

Ping?

 

Have you set a password to the SSL key? What happens if you stop dovecot and then issue command

Code:

dovecot -p

 

Hi Taleman, No I have not set a password to the SSL key AFAIK.... Since dovecot cannot start there is nothing I can do to stop it so issuing the command you suggest gives -

Code:

dovecot -p
doveconf: Warning: /etc/dovecot/dovecot.conf line 63: Global setting mail_plugins won't change the setting inside an earlier filter at /etc/dovecot/dovecot.conf line 50 (if this is intentional, avoid this warning by moving the global setting before /etc/dovecot/dovecot.conf line 50)
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 7: ssl_cert: Can't open file /etc/postfix/smtpd.cert: Permission denied

FYI - The warning message is caused by the ispconfig script misplacing the declaration of the mail_plugins = $mail_plugins quota line. I keep fixing it manually but everytime I run the ispconfig script it causes dovecot to give this warning message.

 

I have made some progress on solving this and tracked down the problem to apparmor which is some sort of application based security system. I claim no expertise about this thing but hacked the following files in /etc/apparmor.d - usr.lib.dovecot.auth, usr.lib.dovecot.config, usr.lib.dovecot.imap and usr.lib.dovecot.pop3 and added the following permission -

Code:

  /etc/postfix/* r,

to each of these files. I admit that I am way out of my comfort zone here, having never dealt with apparmor before, so would appreciate a more definitive solution from someone who understands apparmor better than I do.

 

Incidentally, when I start the dovecot service and check it's status I now get the following output. I don't know why I am getting the two error messages about missing file or directory, but at least dovecot is now able to run.

Code:

rcdovecot status
* dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-07-01 12:41:09 PDT; 4s ago
 Main PID: 21801 (dovecot)
    Tasks: 4 (limit: 512)
   CGroup: /system.slice/dovecot.service
           |-21801 /usr/sbin/dovecot -F
           |-21806 dovecot/anvil
           |-21807 dovecot/log
           `-21809 dovecot/config

Jul 01 12:41:09 bigbang systemd[1]: Started Dovecot IMAP/POP3 email server.
Jul 01 12:41:09 bigbang dovecot[21801]: doveconf: Warning: /etc/dovecot/dovecot.conf line 63: Global setting mail_plugins won't change the setting inside an earlier filter at /etc/dovecot/dovecot.conf line 50 (if this is intentional, avoid this warning by moving the global setting before /etc/dovecot/dovecot.conf line 50)
Jul 01 12:41:09 bigbang dovecot[21801]: doveconf: Warning: /etc/dovecot/dovecot.conf line 63: Global setting mail_plugins won't change the setting inside an earlier filter at /etc/dovecot/dovecot.conf line 50 (if this is intentional, avoid this warning by moving the global setting before /etc/dovecot/dovecot.conf line 50)
Jul 01 12:41:09 bigbang dovecot[21801]: master: Dovecot v2.2.31 (65cde28) starting up for imap, pop3 (core dumps disabled)
Jul 01 12:41:09 bigbang dovecot[21801]: master: Error: fstat(/var/lib/dovecot/instances.lock) failed: No such file or directory
Jul 01 12:41:09 bigbang dovecot[21801]: master: Error: file_dotlock_open(/var/lib/dovecot/instances) failed: No such file or directory
Jul 01 12:41:09 bigbang dovecot[21807]: doveconf: Warning: /etc/dovecot/dovecot.conf line 63: Global setting mail_plugins won't change the setting inside an earlier filter at /etc/dovecot/dovecot.conf line 50 (if this is intentional, avoid this warning by moving the global setting before /etc/dovecot/dovecot.conf line 50)
Jul 01 12:41:09 bigbang dovecot[21807]: config: Warning: /etc/dovecot/dovecot.conf line 63: Global setting mail_plugins won't change the setting inside an earlier filter at /etc/dovecot/dovecot.conf line 50 (if this is intentional, avoid this warning by moving the global setting before /etc/dovecot/dovecot.conf line 50)

 

I was given the following suggestion from the opensuse users news group to store certificates in the location meant for them - /etc/ssl/private instead of in /etc/postfix This way apparmor profiles for dovecot would not need the modifications that I made to get things working. Perhaps that would be a better location for ISPConfig to place the certificate files it needs?