After upgrading Ubuntu Dovecot fails to start with a fatal error: Argument list too long

Question

After upgrading Ubuntu from 20.04 to 22.04 I'm having a problem with starting dovecot and I'm getting the following error:

$ sudo dovecot -F
doveconf: Fatal: execvp(/usr/sbin/dovecot) failed: Argument list too long

After some searching I found out that you have to raise the ARG_MAX variable, but I don't know how.

I have tried finding solutions in ulimit, sysconf and exec.

$ sudo getconf ARG_MAX
2097152
$ getconf ARG_MAX
6291456

I have added the following to /etc/secutiry/limits.conf:

root    soft    nofile      65535
root    hard    nofile      65535

LimitNOFILE=65536 in dovecot.service but it still throws the same error!

$ sudo doveconf -n

auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = PLAIN
auth_verbose = yes
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_home = /home/vmail/%d/%u
mail_location = maildir:~
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  user = root
}
ssl = required
ssl_ca = </etc/ssl/certs/ca-certificates.crt
ssl_cert = </etc/letsencrypt/live/*.nl/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
local_name mail.*.nl {
  protocol imap {
    ssl_ca = </etc/ssl/certs/ca-certificates.crt
    ssl_cert = </etc/letsencrypt/live/*.nl/fullchain.pem
    ssl_key = # hidden, use -P to show it
  }
}
local_name mail.*.nl {
  protocol pop3 {
    ssl_ca = </etc/ssl/certs/ca-certificates.crt
    ssl_cert = </etc/letsencrypt/live/*.nl/fullchain.pem
    ssl_key = # hidden, use -P to show it
  }
}

Exit code: 89

With Ubuntu you cannot trust that your system-wide limit configuration is honoured, because some systemD fuckery could interfere. Can you see resource limits applied when dumping the unit configuration like `systemctl show dovecot.service`? — anx, Jul 22 '23 at 11:41
Yes, `LimitNOFILE=65535`, `LimitNOFILESoft=65535`, `LimitNPROC=124116`, `LimitNPROCSoft=124116`, `LimitMEMLOCK=65536`, `LimitMEMLOCKSoft=65536`, `LimitSIGPENDING=124116`, `LimitSIGPENDINGSoft=124116`, `LimitMSGQUEUE=819200`, `LimitMSGQUEUESoft=819200` — Alex, Jul 22 '23 at 16:22

anx · Accepted Answer · 2023-07-22T12:07:22.050

2

What if reasonable limit are effective.. but you are really passing something inappropriately large in an unexpected place?

I can see one potential candidate: I do not think this is what you meant to configure:

ssl_ca = </etc/ssl/certs/ca-certificates.crt

That is for verification of client certificates sent to you. If you even used that, it would still not contain a substantial number of certificates.

If you wanted to override what is used to verify only certificates when connecting in a client role, you would use ssl_client_ca_dir, but that already should have sensible defaults, so no need to.

edited Jul 22 '23 at 12:07

answered Jul 22 '23 at 11:46

anx

8,963
5
24
48

God bless you! It fixed it! Thank you! I commented out the line and it started. – Alex Jul 22 '23 at 18:21

After upgrading Ubuntu Dovecot fails to start with a fatal error: Argument list too long

1 Answers1