Dovecot won't start (Permission Denied)

[Tobi Tobsen]

Hi there,

Dovecat stopped working and it's unable to restart it.

Error message:
Jun 09 09:59:42 <servername> dovecot[13359]: doveconf: Fatal: Error in configuration file /etc/dovecot/ssl.conf line 12: ssl_cert: Can't open file /etc/dovecot/ssl/dovecot.crt: Permission denied

The file is a symlink to: /var/cpanel/ssl/dovecot/mydovecot.crt
And this file is there and readable (as root).

I think it's because Dovecat is not starting as root any more. As I understand, Dovecot starts as root, reloads the SSL-Cert & other services and then drops permission to the "internal service user".

I have also tried to chmod the ssl cs&key-file, so a non root can read it.

The it will pass the checks, but will stop here (the /var/run/dovecot is also only readable as a root):

Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(auth): unlink(/var/run/dovecot/auth-userdb) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(auth): unlink(/var/run/dovecot/auth-master) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(auth-worker): unlink(/var/run/dovecot/auth-worker) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(anvil): unlink(/var/run/dovecot/anvil) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(anvil): unlink(/var/run/dovecot/anvil-auth-penalty) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Error: service(quota-status): unlink(/var/run/dovecot/quota-status) failed: Permission denied
Jun 09 15:09:34 <servername> dovecot[27796]: Fatal: Failed to start listeners
Jun 09 15:09:34 <servername> systemd[1]: dovecot.service: main process exited, code=exited, status=89/n/a
Jun 09 15:09:34 <servername> systemd[1]: Unit dovecot.service entered failed state.
Jun 09 15:09:34 <servername> systemd[1]: dovecot.service failed.

So I really think it's because Dovecot is not starting as root anymore. How can I change this behaviour? It was working before.

I have another dovecat installation and the permissions and the config files are exactl the same...

OS: CentOS v7.9.2009 STANDARD standard
cPanel Version: 110.0.7

Thank you

 

[cPRex]

Can you let me know the permissions on the file? It should be 640.

 

[vanessa]

/etc/dovecot/ssl/dovecot.crt should be a symlink to /var/cpanel/ssl/dovecot/mydovecot.crt, and THAT file should be as follows:

-rw-rw---- 1 root wheel 6.1K May 6 19:17 /var/cpanel/ssl/dovecot/mydovecot.crt

 

[cPRex]

Interesting - on AlmaLinux 8 I just see the file, with no symlink, and 640.

 

[vanessa]

weird - i checked my centos 7/alma8/CL8 servers and all of mine are symlinks

 

[Tobi Tobsen]

Whoohoo, thanks for all the replies .

All of the files in the dovecot error message are there and I can read these files as root.

Here are the directory listings. Everything exactly like on my other machine...

/var/cpanel/ssl/dovecot
total 44
drwxr-xr-x. 2 root root 4096 Jun 9 14:59 .
drwxr-xr-x. 11 root root 4096 Jun 9 10:16 ..
-rw-rw----. 1 root wheel 1468 May 11 15:24 dovecot.crt
-rw-rw----. 1 root wheel 3729 May 11 15:25 dovecot.crt.cache
-rw-rw----. 1 root wheel 1675 May 11 15:24 dovecot.key
-rw-rw----. 1 root wheel 6196 Jun 9 10:16 mydovecot.crt
-rw-rw----. 1 root wheel 8915 May 13 19:28 mydovecot.crt.cache
-rw-rw----. 1 root wheel 1679 Jun 9 10:16 mydovecot.key

/etc/dovecot
[root@ dovecot]# ls -l
total 92
-rw-r-----. 1 root root 101 Jun 9 10:16 auth_policy.conf
-rw-r--r--. 1 root root 424 Jul 27 2022 dh.pem
-rw-r--r--. 1 root root 51622 Jun 9 16:14 dovecot.conf
-rw-r--r--. 1 root root 424 Jul 27 2022 ffdhe2048.pem
-rw-r--r--. 1 root root 603 Jul 27 2022 ffdhe3072.pem
-rw-r--r--. 1 root root 769 Jul 27 2022 ffdhe4096.pem
-rw-r-----. 1 root root 4382 Jun 9 16:27 sni.conf
drwxr-xr-x. 3 root root 4096 Jun 9 15:00 ssl
-rw-r-----. 1 root root 2625 Jun 9 15:27 ssl.conf

/etc/dovecot/ssl
[root@ ssl]# ls -l
total 28
lrwxrwxrwx. 1 root root 37 May 12 17:26 dovecot.crt -> /var/cpanel/ssl/dovecot/mydovecot.crt
-rw-r--r--. 1 root root 8915 Jun 9 10:16 dovecot.crt.cache
lrwxrwxrwx. 1 root root 37 May 12 17:26 dovecot.key -> /var/cpanel/ssl/dovecot/mydovecot.key
-rw-r-----. 1 root root 6196 Jun 9 13:27 dovecottest.crt
-rw-r-----. 1 root root 1679 Jun 9 13:28 dovecottest.key


/var/run/dovecot
[root@ dovecot]# ls -l
total 4
srw-------. 1 root root 0 Jun 9 14:52 anvil
srw-------. 1 root root 0 Jun 9 14:52 anvil-auth-penalty
srw-rw-rw-. 1 dovecot root 0 Jun 9 14:52 auth-client
srw-------. 1 dovecot root 0 Jun 9 14:52 auth-login
srw-------. 1 root root 0 Jun 9 14:52 auth-master
-rw-------. 1 root root 32 Jun 9 13:29 auth-token-secret.dat
srw-rw-rw-. 1 dovecot root 0 Jun 9 14:52 auth-userdb
srw-------. 1 dovecot root 0 Jun 9 14:52 auth-worker
srw-------. 1 root root 0 Jun 9 14:52 config
srw-rw----. 1 root dovecot 0 Jun 9 14:52 dict
srw-rw----. 1 root dovecot 0 Jun 9 14:52 dict-async
srw-------. 1 root root 0 Jun 9 14:52 director-admin
srw-rw-rw-. 1 root root 0 Jun 9 14:52 dns-client
srw-------. 1 root root 0 Jun 9 14:52 doveadm-server
lrwxrwxrwx. 1 root root 25 Jun 9 14:52 dovecot.conf -> /etc/dovecot/dovecot.conf
drwxr-xr-x. 2 root root 40 Jun 9 13:29 empty
srw-rw----. 1 root dovecot 0 Jun 9 14:52 imap-hibernate
srw-------. 1 dovecot root 0 Jun 9 14:52 imap-master
srw-rw-rw-. 1 root root 0 Jun 9 14:52 imap-urlauth
srw-------. 1 dovecot root 0 Jun 9 14:52 imap-urlauth-worker
srw-rw-rw-. 1 root root 0 Jun 9 14:52 indexer
srw-------. 1 dovecot root 0 Jun 9 14:52 indexer-worker
srw-------. 1 dovecot root 0 Jun 9 14:52 ipc
srw-rw----. 1 mailnull mail 0 Jun 9 14:52 lmtp
srw-------. 1 root root 0 Jun 9 14:52 log-errors
drwxr-x---. 2 root dovenull 160 Jun 9 14:52 login
srw-------. 1 root root 0 Jun 9 14:52 master
srw-------. 1 root root 0 Jun 9 14:52 old-stats
prw-------. 1 root root 0 Jun 9 14:52 old-stats-mail
prw-------. 1 root root 0 Jun 9 14:52 old-stats-user
srw-rw-rw-. 1 root root 0 Jun 9 14:52 quota-status
srw-------. 1 root root 0 Jun 9 14:52 replication-notify
prw-------. 1 root root 0 Jun 9 14:52 replication-notify-fifo
srw-------. 1 dovecot root 0 Jun 9 14:52 replicator
srw-------. 1 root root 0 Jun 9 14:52 stats-reader
srw-rw-rw-. 1 root dovecot 0 Jun 9 14:52 stats-writer
drwxr-x---. 2 root dovenull 80 Jun 9 14:52 token-login

root@ dovecot]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:986:983:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
....


When I replace the ssl files so that normal users have access, dovecot won't start either because of the other "permission denied" errors above. I think's because dovecot is not starting as root, initialize and then drop into the dovecout user (which is the normal behaviour).

 

[vanessa]

How are you restarting? I assume you're doing this as root, but are you using the service/systemctl commands, or are you using /scripts/restartsrv_dovecot ?

 

[Tobi Tobsen]

Yes, as root and then: systemctl start dovecot,
tried it from the WHM web portal ("restart imap server"),
and I tried restarting the whole server

 

[vanessa]

As a ditch effort, you can reinstall dovecot to make sure it's set up "clean":


yum remove cpanel-dovecot (this will also in turn remove exim, but not its config templates)
mv /var/cpanel/ssl/dovecot /var/cpanel/ssl/old-dovecot
/scripts/setupmailserver --force dovecot
/scripts/builddovecotconf
/scripts/restartsrv_dovecot
/scripts/buildeximconf
/scripts/restartsrv_exim

in WHM, replace service certificate if needed.

 

[Tobi Tobsen]

Hi Vanessa, good idea. Will try this next week (not on a friday ).

I made another attempt with executing dovecot directly from shell as root with "/usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf" and it's working!

Strange, mh?

ps aux | grep dovecot
root 31695 0.5 0.0 169868 13000 ? S 19:07 0:00 /usr/local/cpanel/scripts/restartsrv_dovecot --restart --hard --attempt117
root 33436 0.6 0.0 51624 2452 pts/0 S+ 19:08 0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
dovenull 33440 0.0 0.0 46744 3532 pts/0 S+ 19:08 0:00 dovecot/pop3-login
dovenull 33441 0.0 0.0 46752 3532 pts/0 S+ 19:08 0:00 dovecot/imap-login
dovecot 33442 0.0 0.0 10312 1308 pts/0 S+ 19:08 0:00 dovecot/anvil
root 33443 0.0 0.0 10444 1220 pts/0 S+ 19:08 0:00 dovecot/log
dovenull 33444 0.0 0.0 46744 3532 pts/0 S+ 19:08 0:00 dovecot/pop3-login
dovenull 33445 0.0 0.0 46752 3536 pts/0 S+ 19:08 0:00 dovecot/imap-login
root 33446 0.0 0.0 17676 4868 pts/0 S+ 19:08 0:00 dovecot/config
dovecot 33447 0.0 0.0 13428 1564 pts/0 S+ 19:08 0:00 dovecot/stats
dovecot 33448 0.0 0.0 41184 2784 pts/0 S+ 19:08 0:00 dovecot/auth
root 33497 0.0 0.0 112812 972 pts/1 S+ 19:08 0:00 grep --color=auto dovecot

In the WHM web portal it still says "down":

Home / Server Status / Service Status:
imap 2.3.19 down
lmtp 2.3.19 down
pop 2.3.19 down

And it's been killed after a few minutes (as expected) by the script /usr/local/cpanel/scripts/restartsrv_dovecot --restart --hard --attempt117

 

[vanessa]

Something's wonky on your system for sure, just hard to tell without messing around in there myself. Are you running Cloudlinux w/cagefs?