Dovecot not working over ssl in 11.4

tk83 · March 21, 2011, 12:59pm

I use dovecot as an IMAP server for mail clients on my local machine. This worked fine in 11.3 but on 11.4 the authentication doesn’t seem to work - my mail client just can’t connect to the dovecot server.

I get errors like this in the /var/log/mail:

Mar 21 12:49:46 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied
Mar 21 12:49:46 triton dovecot: dovecot: Generating Diffie-Hellman parameters for the first time. This may take a while..
Mar 21 12:50:12 triton dovecot: ssl-build-param: SSL parameters regeneration completed
Mar 21 12:50:12 triton dovecot: dovecot: link(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat.tmp) failed: Permission denied
Mar 21 12:50:12 triton dovecot: dovecot: file_copy(/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot/login/ssl-parameters.dat) failed: No such file or directory

My configuration is:

# 1.2.16: /etc/dovecot/dovecot.conf
Error: setmntent(/etc/mtab) failed: Permission denied
# OS: Linux 2.6.37.1-1.2-desktop x86_64  
protocols: imaps
listen: 127.0.0.1
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_location: mbox:/home/%u/Mail:INBOX=/home/%u/Mail/main
lda:
  postmaster_address: postmaster@example.com
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd

tk83 · March 21, 2011, 2:29pm

I found the problem - AppArmor. I used the AppArmor module in YAST to set everything to ‘complain’ (ie. log stuff but don’t block anything) and it worked.

I’ve filed a bug to try to get AppArmor fixed: https://bugzilla.novell.com/show_bug.cgi?id=681267

robin_listas · March 21, 2011, 3:03pm

On 2011-03-21 14:36, tk83 wrote:
>
> I found the problem - AppArmor. I used the AppArmor module in YAST to
> set everything to ‘complain’ (ie. log stuff but don’t block anything)
> and it worked.

That mode will fill your logs if you leave it.

> I’ve filed a bug to try to get AppArmor fixed:
> https://bugzilla.novell.com/show_bug.cgi?id=681267

Fix it yourself: yast, update profile wizard.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

tk83 · March 21, 2011, 3:45pm

The profile wizard only creates rules very specific to my machine and the paths on it.

The fact is that as shipped 11.4 can’t run dovecot because of a broken AppArmor profile, that’s a bug and should be fixed.

robin_listas · March 21, 2011, 9:20pm

On 2011-03-21 16:06, tk83 wrote:
>
> The profile wizard only creates rules very specific to my machine and
> the paths on it.
>
> The fact is that as shipped 11.4 can’t run dovecot because of a broken
> AppArmor profile, that’s a bug and should be fixed.

Are you sure the profile came from openSUSE? I have dovecot installed, an
earlier version, and I don’t see an AA profile.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

tk83 · March 21, 2011, 10:13pm

yes, I didn’t install anything to do with AppArmor manually, so all the setup comes from the default opensuse install:

rpm -ql apparmor-profiles-2.5.1.r1445-52.55.1.x86_64 | grep dove
/etc/apparmor.d/usr.lib.dovecot.deliver
/etc/apparmor.d/usr.lib.dovecot.dovecot-auth
/etc/apparmor.d/usr.lib.dovecot.imap
/etc/apparmor.d/usr.lib.dovecot.imap-login
/etc/apparmor.d/usr.lib.dovecot.managesieve-login
/etc/apparmor.d/usr.lib.dovecot.pop3
/etc/apparmor.d/usr.lib.dovecot.pop3-login
/etc/apparmor.d/usr.sbin.dovecot

cko · March 27, 2011, 8:13pm

Same here.

With AppArmor enabled, dovecot does not even start. :’(

With AppArmor disabled, dovecot works fine.

It looks like the dovecot AppArmor profiles shipped with OpenSuSE 11.4
are totally broken.

robin_listas · March 27, 2011, 9:38pm

On 2011-03-27 20:36, cko wrote:
>
> Same here.

Then add yourself to the bugzilla…

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)