Comment 4 for bug 1991564

Hi Athos,

  I think the needed commit is 36ff43f. The ones before do some code refactorings without that this commit will not apply. The one commit after 36ff43f that I included in the list does some cleanup work (removing unneeded stuff) and should not strictly be needed.

Reproducing the issue is fairly simply:

- Do a dovecot configuration with SSL certificates, where the SSL key is only readable by the root user. These restrictive permissions on the SSL key should work per the dovecot configuration, as the server reads the files before dropping its privileges [1].

- For this, set the SSL settings like this:

ssl_cert = </some/path/fullchain.cer
ssl_key = </some/path/example.com.key

- Run doveadm as root, it should output the help text.

- Run doveadm as another user, e.g. the one set for mail_uid in the dovecot configuration (for me, this is the user vmail) - doveadm will not show the help text but die with an error like:

doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_key: Can't open file /some/path/example.com.key: Permission denied

That error will be gone if you apply the above commits to the 2.3.16 source (tried that). Whether there are any regressions I cannot tell though.

[1] https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/: "Dovecot opens both of these files while still running as root, so you don’t need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file)."