The dovecot version which will be released with bullseye seems to require some subtle config adjustment if you
- use ssl (ok that should be almost everyone)
- and you would like to execute
doveadmas a user, who can not read the ssl cert and keys (quite likely).
I guess one of the common cases is executing doveadm pw e.g. if you use
postfixadmin. For myself
that manifested in the nginx error log, which I use in combination with php-fpm, as.
2021/04/19 20:22:59 [error] 307467#307467: *13 FastCGI sent in stderr: "PHP message:
Failed to read password from /usr/bin/doveadm pw ... stderr: doveconf: Fatal:
Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert:
Can't open file /etc/dovecot/private/dovecot.pem: Permission denied
You easily see the same error message if you just execute something like doveadm pw -p test123.
The workaround is to move your ssl configuration to a new file which is only readable by root,
and create a dummy one which disables ssl, and has a !include_try on the real one. Maybe
best explained by showing the modification:
cd /etc/dovecot/conf.d
cp 10-ssl.conf 10-ssl_server
chmod 600 10-ssl_server
echo 'ssl = no' > 10-ssl.conf
echo '!include_try 10-ssl_server' >> 10-ssl.conf
Discussed upstream here.