Unexpected permissions issue with Dovecot

Hello - I am trying to install/configure Dovecot and Postfix on my server running OpenSuSE Leap 42.3 x64 and am running into a perplexing permissions issue that I need help with to resolve.

Dovecot is configured to use a certificate file as shown here -

bigbang:/etc/dovecot # cat dovecot.conf
listen = *,::]
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql


and when I start up the dovecot daemon I am getting the following error message -

"doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf  line 7: ssl_cert: /etc/postfix/smtpd.cert Can not open file: Permission  denied"

There was nothing unusual done in creating the certificates and no password requirement was set to use it. It was simply generated locally on my server, not supplied from a certificate authority.

Looking at directory and file permissions does not show anything either -

ls -ald /etc/postfix
drwxr-xr-x 5 root root 4096 Jun 16 16:19 /etc/postfix

 ls -al /etc/postfix/smtpd.cert
-rw-r--r-- 1 root root 1424 Jun 16 16:04 /etc/postfix/smtpd.cert

Any ideas on how to debug this and track down what is the real issue? Thanks in advance, Marc…

Ping? Any thoughts anyone?

I will walk you through my steps to try and reproduce your error.

NOTE: Do not accept this solution as a completely secure working dovecot/postix configuration. It only hopefully gets you past your cert error.

  1. Basic leap 42.3 install with configured network setting
  2. Fully patched
  3. reboot
  4. Install dovecot
  5. systemctl enable dovecot.service
  6. reboot
  7. Checked to insure dovecot and postfix were sane: systemctl status dovecot.service and systemctl status postfix
  8. mkdir /etc/dovecot/private
  9. mkdir /root/certs
  10. cd /root/certs
  11. Performed steps 1 through 7 from the link below. Do not do step 8 or 9.
  12. Modified /etc/dovecot/conf.d/10-ssl.conf by uncommenting or modifying these lines:

ssl = yes

ssl_cert = </etc/dovecot/private/dovecot.crt
ssl_key = </etc/dovecot/private/dovecot.key

  1. Modified /etc/postfix/main.cf

smtpd_use_tls = yes

smtpd_tls_cert_file = /etc/dovecot/private/dovecot.crt
smtpd_tls_key_file = /etc/dovecot/private/dovecot.key

  1. Rebooted
  2. Checked to insure dovecot and postfix were sane: systemctl status dovecot.service and systemctl status postfix

Hope that helps to get you over the roadblock you hit.


Thanks d3vnull, I have made some progress on solving this and tracked down the problem to apparmor which is some sort of application based security system. (How I wish Linux followed KISS principals, this appears to be yet another security layer on top of the chmod/chown layer, and not an intuitive/obvious thing either especially since it is not exposed by ls -al.) I claim no expertise about this thing but hacked the following files in /etc/apparmor.d - usr.lib.dovecot.auth, usr.lib.dovecot.config, usr.lib.dovecot.imap and usr.lib.dovecot.pop3 and added the following permission -

  /etc/postfix/* r,

to each of these files. I admit that I am way out of my comfort zone here, having never dealt with apparmor before, so would appreciate a more definitive solution from someone who understands apparmor better than I do. https://www.howtoforge.com/community/styles/default/xenforo/clear.png

dovecot can read /etc/ssl through an include statement in it’s Apparmor profile:

#include <abstractions/ssl_keys>

Store your certificates in /etc/ssl/private and you should not need to modify the dovecot Apparmor profile.

You can read the original bug report where that is explained to me.

I have also filed a separate bug report on the README.SUSE instructions being incorrect, but I am not sure you were following it anyway :wink: