Recent Changes - Search:
Dovecot /

Troubleshoot Dovecot

This guide provides some examples for troubleshooting Dovecot on OpenBSD with OpenSMTPd.

Turning on debug variables

Add the following lines at the bottom of /etc/dovecot/dovecot.conf to enable debug variables: 

auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
auth_verbose_passwords=sha1
verbose_ssl=yes

Check maillog

Check mail logs (default /var/log/maillog) for any warnings and errors. 

Jun  9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)
Jun  9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)

When starting dovecot, you may find it fails: 

# rcctl start dovecot
dovecot(failed)

When this happens, run the rc.d script with debugging turned on: 

# rc.d/dovecot -d start
doing _rc_parse_conf
doing _rc_quirks
dovecot_flags empty, using default ><
doing rc_check
dovecot
doing rc_start
doing _rc_wait start
doing rc_check
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory
doing _rc_rm_runfile
(failed)

In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: /etc/ssl/example.com.fullchain.pem (where example.com is replaced with my real domain). 

Jun  9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)
Jun  9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)

$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143

Dump non-default settings

When asking for help, dump non-default configuration settings and provide them in a paste: 

# dovecot -n
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# OS: OpenBSD 7.7 amd64  ffs
# Hostname: example.com
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = sha1
first_valid_uid = 1000
listen = 198.51.100.2, 2001:db8::2
mail_debug = yes
mail_location = maildir:%h/Maildir
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = bsdauth
}
protocols = imap pop3
ssl_cert = </etc/ssl/example.com.crt
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
verbose_ssl = yes

Login classes

After installation, the package will provide a README in /usr/local/share/doc/pkg-readmes/dovecot.

Dovecot automatically adds a capability database at /etc/login.conf.d/dovecot: 

dovecot:\
	:openfiles-cur=1024:\
	:openfiles-max=2048:\
	:tc=daemon:

This login class gives dovecot special permissions. On a large server, it may be necessary to increase the permissions: 

dovecot:\
	:openfiles-cur=4096:\
	:openfiles-max=8192:\
	:tc=daemon:

WARNING: login.conf(5) must use tabs and not spaces. Do not use spaces, or the login classes may not work.

NOTE: Allowing more open files than suggested in the README can help if you have many IP addresses.

WARNING: If login.conf.db exists, you will need to rebuild it: 

# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf

But it is best to just remove /etc/login.conf.db since it is not required: 

# rm /etc/login.conf.db