Dovecot won't start (Permission Denied)

Tobi Tobsen

• June 09, 2023 10:12

Hi there, Dovecat stopped working and it's unable to restart it. Error message: Jun 09 09:59:42 dovecot[13359]: doveconf: Fatal: Error in configuration file /etc/dovecot/ssl.conf line 12: ssl_cert: Can't open file /etc/dovecot/ssl/dovecot.crt: Permission denied The file is a symlink to: /var/cpanel/ssl/dovecot/mydovecot.crt And this file is there and readable (as root). I think it's because Dovecat is not starting as root any more. As I understand, Dovecot starts as root, reloads the SSL-Cert & other services and then drops permission to the "internal service user". I have also tried to chmod the ssl cs&key-file, so a non root can read it. The it will pass the checks, but will stop here (the /var/run/dovecot is also only readable as a root): Jun 09 15:09:34 dovecot[27796]: Error: service(auth): unlink(/var/run/dovecot/auth-userdb) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Error: service(auth): unlink(/var/run/dovecot/auth-master) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Error: service(auth-worker): unlink(/var/run/dovecot/auth-worker) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Error: service(anvil): unlink(/var/run/dovecot/anvil) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Error: service(anvil): unlink(/var/run/dovecot/anvil-auth-penalty) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Error: service(quota-status): unlink(/var/run/dovecot/quota-status) failed: Permission denied Jun 09 15:09:34 dovecot[27796]: Fatal: Failed to start listeners Jun 09 15:09:34 systemd[1]: dovecot.service: main process exited, code=exited, status=89/n/a Jun 09 15:09:34 systemd[1]: Unit dovecot.service entered failed state. Jun 09 15:09:34 systemd[1]: dovecot.service failed. So I really think it's because Dovecot is not starting as root anymore. How can I change this behaviour? It was working before. I have another dovecat installation and the permissions and the config files are exactl the same... OS: CentOS v7.9.2009 STANDARD standard cPanel Version: 110.0.7 Thank you :)

• 

  cPRex Jurassic Moderator

  • June 09, 2023 15:57

  Can you let me know the permissions on the file? It should be 640.

  0
• 

  vanessa

  • June 09, 2023 16:01

  /etc/dovecot/ssl/dovecot.crt should be a symlink to /var/cpanel/ssl/dovecot/mydovecot.crt, and THAT file should be as follows: -rw-rw---- 1 root wheel 6.1K May 6 19:17 /var/cpanel/ssl/dovecot/mydovecot.crt

  0
• 

  cPRex Jurassic Moderator

  • June 09, 2023 16:03

  Interesting - on AlmaLinux 8 I just see the file, with no symlink, and 640.

  0
• 

  vanessa

  • June 09, 2023 16:05

  weird - i checked my centos 7/alma8/CL8 servers and all of mine are symlinks

  0
• 

  Tobi Tobsen

  • June 09, 2023 16:10

  Whoohoo, thanks for all the replies :). All of the files in the dovecot error message are there and I can read these files as root. Here are the directory listings. Everything exactly like on my other machine... /var/cpanel/ssl/dovecot total 44 drwxr-xr-x. 2 root root 4096 Jun 9 14:59 . drwxr-xr-x. 11 root root 4096 Jun 9 10:16 .. -rw-rw----. 1 root wheel 1468 May 11 15:24 dovecot.crt -rw-rw----. 1 root wheel 3729 May 11 15:25 dovecot.crt.cache -rw-rw----. 1 root wheel 1675 May 11 15:24 dovecot.key -rw-rw----. 1 root wheel 6196 Jun 9 10:16 mydovecot.crt -rw-rw----. 1 root wheel 8915 May 13 19:28 mydovecot.crt.cache -rw-rw----. 1 root wheel 1679 Jun 9 10:16 mydovecot.key /etc/dovecot [root@ dovecot]# ls -l total 92 -rw-r-----. 1 root root 101 Jun 9 10:16 auth_policy.conf -rw-r--r--. 1 root root 424 Jul 27 2022 dh.pem -rw-r--r--. 1 root root 51622 Jun 9 16:14 dovecot.conf -rw-r--r--. 1 root root 424 Jul 27 2022 ffdhe2048.pem -rw-r--r--. 1 root root 603 Jul 27 2022 ffdhe3072.pem -rw-r--r--. 1 root root 769 Jul 27 2022 ffdhe4096.pem -rw-r-----. 1 root root 4382 Jun 9 16:27 sni.conf drwxr-xr-x. 3 root root 4096 Jun 9 15:00 ssl -rw-r-----. 1 root root 2625 Jun 9 15:27 ssl.conf /etc/dovecot/ssl [root@ ssl]# ls -l total 28 lrwxrwxrwx. 1 root root 37 May 12 17:26 dovecot.crt -> /var/cpanel/ssl/dovecot/mydovecot.crt -rw-r--r--. 1 root root 8915 Jun 9 10:16 dovecot.crt.cache lrwxrwxrwx. 1 root root 37 May 12 17:26 dovecot.key -> /var/cpanel/ssl/dovecot/mydovecot.key -rw-r-----. 1 root root 6196 Jun 9 13:27 dovecottest.crt -rw-r-----. 1 root root 1679 Jun 9 13:28 dovecottest.key /var/run/dovecot [root@ dovecot]# ls -l total 4 srw-------. 1 root root 0 Jun 9 14:52 anvil srw-------. 1 root root 0 Jun 9 14:52 anvil-auth-penalty srw-rw-rw-. 1 dovecot root 0 Jun 9 14:52 auth-client srw-------. 1 dovecot root 0 Jun 9 14:52 auth-login srw-------. 1 root root 0 Jun 9 14:52 auth-master -rw-------. 1 root root 32 Jun 9 13:29 auth-token-secret.dat srw-rw-rw-. 1 dovecot root 0 Jun 9 14:52 auth-userdb srw-------. 1 dovecot root 0 Jun 9 14:52 auth-worker srw-------. 1 root root 0 Jun 9 14:52 config srw-rw----. 1 root dovecot 0 Jun 9 14:52 dict srw-rw----. 1 root dovecot 0 Jun 9 14:52 dict-async srw-------. 1 root root 0 Jun 9 14:52 director-admin srw-rw-rw-. 1 root root 0 Jun 9 14:52 dns-client srw-------. 1 root root 0 Jun 9 14:52 doveadm-server lrwxrwxrwx. 1 root root 25 Jun 9 14:52 dovecot.conf -> /etc/dovecot/dovecot.conf drwxr-xr-x. 2 root root 40 Jun 9 13:29 empty srw-rw----. 1 root dovecot 0 Jun 9 14:52 imap-hibernate srw-------. 1 dovecot root 0 Jun 9 14:52 imap-master srw-rw-rw-. 1 root root 0 Jun 9 14:52 imap-urlauth srw-------. 1 dovecot root 0 Jun 9 14:52 imap-urlauth-worker srw-rw-rw-. 1 root root 0 Jun 9 14:52 indexer srw-------. 1 dovecot root 0 Jun 9 14:52 indexer-worker srw-------. 1 dovecot root 0 Jun 9 14:52 ipc srw-rw----. 1 mailnull mail 0 Jun 9 14:52 lmtp srw-------. 1 root root 0 Jun 9 14:52 log-errors drwxr-x---. 2 root dovenull 160 Jun 9 14:52 login srw-------. 1 root root 0 Jun 9 14:52 master srw-------. 1 root root 0 Jun 9 14:52 old-stats prw-------. 1 root root 0 Jun 9 14:52 old-stats-mail prw-------. 1 root root 0 Jun 9 14:52 old-stats-user srw-rw-rw-. 1 root root 0 Jun 9 14:52 quota-status srw-------. 1 root root 0 Jun 9 14:52 replication-notify prw-------. 1 root root 0 Jun 9 14:52 replication-notify-fifo srw-------. 1 dovecot root 0 Jun 9 14:52 replicator srw-------. 1 root root 0 Jun 9 14:52 stats-reader srw-rw-rw-. 1 root dovecot 0 Jun 9 14:52 stats-writer drwxr-x---. 2 root dovenull 80 Jun 9 14:52 token-login root@ dovecot]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash ... dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin dovenull:x:986:983:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin .... When I replace the ssl files so that normal users have access, dovecot won't start either because of the other "permission denied" errors above. I think's because dovecot is not starting as root, initialize and then drop into the dovecout user (which is the normal behaviour).

  0
• 

  vanessa

  • June 09, 2023 16:30

  How are you restarting? I assume you're doing this as root, but are you using the service/systemctl commands, or are you using /scripts/restartsrv_dovecot ?

  0
• 

  Tobi Tobsen

  • June 09, 2023 16:32

  Yes, as root and then: systemctl start dovecot, tried it from the WHM web portal ("restart imap server"), and I tried restarting the whole server

  0
• 

  vanessa

  • June 09, 2023 16:35

  As a ditch effort, you can reinstall dovecot to make sure it's set up "clean": yum remove cpanel-dovecot (this will also in turn remove exim, but not its config templates) mv /var/cpanel/ssl/dovecot /var/cpanel/ssl/old-dovecot /scripts/setupmailserver --force dovecot /scripts/builddovecotconf /scripts/restartsrv_dovecot /scripts/buildeximconf /scripts/restartsrv_exim in WHM, replace service certificate if needed.

  0
• 

  Tobi Tobsen

  • June 09, 2023 17:09

  Hi Vanessa, good idea. Will try this next week (not on a friday :) ). I made another attempt with executing dovecot directly from shell as root with "/usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf" and it's working! Strange, mh? ps aux | grep dovecot root 31695 0.5 0.0 169868 13000 ? S 19:07 0:00 /usr/local/cpanel/scripts/restartsrv_dovecot --restart --hard --attempt117 root 33436 0.6 0.0 51624 2452 pts/0 S+ 19:08 0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf dovenull 33440 0.0 0.0 46744 3532 pts/0 S+ 19:08 0:00 dovecot/pop3-login dovenull 33441 0.0 0.0 46752 3532 pts/0 S+ 19:08 0:00 dovecot/imap-login dovecot 33442 0.0 0.0 10312 1308 pts/0 S+ 19:08 0:00 dovecot/anvil root 33443 0.0 0.0 10444 1220 pts/0 S+ 19:08 0:00 dovecot/log dovenull 33444 0.0 0.0 46744 3532 pts/0 S+ 19:08 0:00 dovecot/pop3-login dovenull 33445 0.0 0.0 46752 3536 pts/0 S+ 19:08 0:00 dovecot/imap-login root 33446 0.0 0.0 17676 4868 pts/0 S+ 19:08 0:00 dovecot/config dovecot 33447 0.0 0.0 13428 1564 pts/0 S+ 19:08 0:00 dovecot/stats dovecot 33448 0.0 0.0 41184 2784 pts/0 S+ 19:08 0:00 dovecot/auth root 33497 0.0 0.0 112812 972 pts/1 S+ 19:08 0:00 grep --color=auto dovecot In the WHM web portal it still says "down": Home / Server Status / Service Status: imap 2.3.19 down lmtp 2.3.19 down pop 2.3.19 down And it's been killed after a few minutes (as expected) by the script /usr/local/cpanel/scripts/restartsrv_dovecot --restart --hard --attempt117

  0
• 

  vanessa

  • June 09, 2023 17:29

  Something's wonky on your system for sure, just hard to tell without messing around in there myself. Are you running Cloudlinux w/cagefs?

  0

Please sign in to leave a comment.