Hello,

It seems from this thread at letsencrypt : https://community.letsencrypt.org/t/changing-permissions-for-pem-files/196561 (see especially second post from _az) that doveadm pw now parses all files in the config, even ones not relevant to the pw aspect of the request. If it’s not able to access all the files, it terminates prematurely with exit code 89.

The result, at least for anyone using letsencrypt / certbot, is that doveadm pw fatally fails unless run as root, because the config includes the private key, which has permissions 600 root root. This makes the dovecot pw functionality unusable for web apps that want to calculate a password hash using it (e.g. RoundCube’s password change feature).

My understanding is that dovecot only really needs the private key for its main functionality, when it’s running as root, and that there’s no reason doveadm pw, which should (presumably) often be run as a regular user, needs access to it.

Is this the intended behavior, or have I got something wrong?

Thanks for all help,

Paul