Dovecot config keeps breaking

I created a ticket on this a couple of days ago, but can't seem to find it now.

What seems to be happening is that whenever a letsencrypt SSL certificate is renewed, the SSL certificate section of dovecot.conf is getting corrupted.

Up until yesterday (happened three times), it was missing the closing brace for one or more local_name clauses in the dovecot.conf file.

However, last night it was much worse. It's missing closing braces, opening braces, and even local_name declarations.

Status: 
Needs work

Comments

Ilia's picture
Submitted by Ilia on Mon, 08/03/2020 - 14:37

Hi,

Had all of that happened running Virtualmin 6.10 or 6.11?

6.10.

Saw 6.11 was available this morning. Have upgraded to it already and am hoping that it fixes the problem.

Ilia's picture
Submitted by Ilia on Wed, 08/05/2020 - 03:36

How does your /etc/dovecot/dovecot.conf look like at the moment?

For me problem occurs again.

My host debian 9 and latest virtualmin.

Dovecot config is corrupted after those lines in syslog

.................

ug 5 19:16:02 host6 systemd[1]: Started User Manager for UID 1221.

Aug 5 19:16:02 host6 systemd[1]: Stopping User Manager for UID 1221...

Aug 5 19:16:02 host6 systemd[3413]: Failed to enqueue exit.target job: Access denied

Aug 5 19:16:02 host6 systemd[1]: Stopped User Manager for UID 1221.

Aug 5 19:16:02 host6 systemd[1]: Removed slice User Slice of avantura.

Aug 5 19:16:02 host6 systemd[1]: Created slice User Slice of avantura.

Aug 5 19:16:02 host6 systemd[1]: Starting User Manager for UID 1221...

Aug 5 19:16:02 host6 systemd[1]: Started Session c293514 of user avantura.

Aug 5 19:16:02 host6 systemd[3425]: Reached target Timers.

Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-browser.socket: Socket service gpg-agent.service not loaded, refusing.

Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent (access for web browsers).

Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-ssh.socket: Socket service gpg-agent.service not loaded, refusing.

Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent (ssh-agent emulation).

Aug 5 19:16:02 host6 systemd[3425]: gpg-agent.socket: Socket service gpg-agent.service not loaded, refusing.

Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent and passphrase cache.

Aug 5 19:16:02 host6 systemd[3425]: Reached target Paths.

Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-extra.socket: Socket service gpg-agent.service not loaded, refusing.

Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent and passphrase cache (restricted).

Aug 5 19:16:02 host6 systemd[3425]: Reached target Sockets.

Aug 5 19:16:02 host6 systemd[3425]: Reached target Basic System.

Aug 5 19:16:02 host6 systemd[3425]: Reached target Default.

Aug 5 19:16:02 host6 systemd[3425]: Startup finished in 26ms.

Aug 5 19:16:02 host6 systemd[1]: Started User Manager for UID 1221.

Aug 5 19:16:02 host6 systemd[1]: Stopping User Manager for UID 1221...

Aug 5 19:16:02 host6 systemd[3425]: Failed to enqueue exit.target job: Access denied

Aug 5 19:16:02 host6 systemd[1]: Stopped User Manager for UID 1221.

Aug 5 19:16:02 host6 systemd[1]: Removed slice User Slice of avantura.

Aug 5 19:16:23 host6 dovecot: config: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: Missing '}' (section started at /etc/dovecot/dovecot.conf:149)

Aug 5 19:16:23 host6 dovecot: master: Error: service(config): command startup failed, throttling for 2 secs

.................................

When certbos is running to renew certs all was ok.

Can I also weigh in on this, I am having the exact same issues. Twice in the last few weeks SSL updates for client domains have corrupted this file and taken my dovecot services offline.

here is an example This domain SSL updated yesterday... (note the missing "}" below in dovecot.conf

local_name www.2e2s.com {
ssl_cert = </home/aje2e2s/ssl.cert
  ssl_cert = </home/aje2e2s/ssl.combined
  ssl_key = </home/aje2e2s/ssl.key
Status:
Fixed (pending)
»
Needs work

Here same issue yesterday. Does the patch work for that or is it more safe to wait for a regular update?

I think the issue is not just soving the bug but checking the dovecot config before applying it. mail is such an important part of a hosters system, it should justify the extra effort here.

Ilia's picture
Submitted by Ilia on Fri, 08/14/2020 - 04:51

Does the patch work for that or is it more safe to wait for a regular update?

It would work, however, for now, I would manually edited dovecot.conf file and made sure to remove all ssl_ca directives, leaving out only ssl_cert and ssl_key. Even with Virtualmin 6.11 the issue will not happen, if there is no ssl_ca directive. Virtualmin 6.12 will work either way, and remove automatically ssl_ca directive properly.

Alternatively, you could run the following script to do it for you, which will fix it all in no time, in case of too many virtual servers. To run this, you would need to have a legit Dovecot config, having all curly brackets in place.

#!/bin/sh
doms=`virtualmin list-domains --name-only --no-alias`
for dom in $doms; do
        virtualmin install-service-cert --domain $dom --remove-domain --service dovecot
        virtualmin install-service-cert --domain $dom --add-domain --service dovecot
done

Note: Put this code in a file and run as sh script-name.

That appears to have fixed the problem. I wiped out all the local_name code, ran your script and ta-da!

I still need to confirm by creating a mail account, logging into the account and confirming it's working, but dovecot's not bitching when I restart it now.