It looks potentially like doveadm
parses the Dovecot configuration, regardless of what subcommand is used. I was able to reproduce this on Debian 11:
alex@valery-period:~$ strace -ff -s 1024 -e trace=open,openat doveadm pw
openat(AT_FDCWD, "/usr/lib/dovecot/tls/haswell/x86_64/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/haswell/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/x86_64/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/haswell/x86_64/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/haswell/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/x86_64/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/libz.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libdovecot-storage.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libsodium.so.23", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsodium.so.23", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/null", O_WRONLY) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/modules", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
openat(AT_FDCWD, "/usr/lib/dovecot/modules/libssl_iostream_openssl.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib/dovecot/tls/haswell/x86_64/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/haswell/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/x86_64/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/tls/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/haswell/x86_64/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/haswell/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/x86_64/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/dovecot/libdovecot.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/null", O_WRONLY) = 3
openat(AT_FDCWD, "/usr/lib/dovecot/modules/settings", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 7
openat(AT_FDCWD, "/usr/lib/dovecot/modules/settings/libpigeonhole_settings.so", O_RDONLY|O_CLOEXEC) = 7
openat(AT_FDCWD, "/etc/dovecot/dovecot.conf", O_RDONLY) = 7
openat(AT_FDCWD, "/usr/share/dovecot/protocols.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 8
openat(AT_FDCWD, "/etc/dovecot/conf.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 8
openat(AT_FDCWD, "/etc/dovecot/conf.d/90-quota.conf", O_RDONLY) = 8
openat(AT_FDCWD, "/etc/dovecot/conf.d/90-plugin.conf", O_RDONLY) = 9
openat(AT_FDCWD, "/etc/dovecot/conf.d/90-acl.conf", O_RDONLY) = 10
openat(AT_FDCWD, "/etc/dovecot/conf.d/15-mailboxes.conf", O_RDONLY) = 11
openat(AT_FDCWD, "/etc/dovecot/conf.d/15-lda.conf", O_RDONLY) = 12
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-tcpwrapper.conf", O_RDONLY) = 13
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-ssl.conf", O_RDONLY) = 14
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-master.conf", O_RDONLY) = 15
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-mail.conf", O_RDONLY) = 16
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-logging.conf", O_RDONLY) = 17
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-director.conf", O_RDONLY) = 18
openat(AT_FDCWD, "/etc/dovecot/conf.d/10-auth.conf", O_RDONLY) = 19
openat(AT_FDCWD, "/etc/dovecot/conf.d/auth-system.conf.ext", O_RDONLY) = 20
openat(AT_FDCWD, "/etc/letsencrypt/live/valery-period.bnr.la/fullchain.pem", O_RDONLY) = -1 EACCES (Permission denied)
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/letsencrypt/live/valery-period.bnr.la/fullchain.pem: Permission denied
+++ exited with 89 +++
If that's the reality of how the doveadm
command works now, then you will probably need to get iRedMail to work around it by providing an alternate implementation.