[Dovecot] replicator/dsync over tcp

Michael Grimm trashcan at odo.in-berlin.de
Sun Mar 24 23:07:57 EET 2013 

Hi --

I am testing replicator/dsync over tcp, and I did run into some issues.

First of all I did need to extend http://wiki2.dovecot.org/Replication to get dsync over tcp running without ssl:

	| # dsync over tcp default port
	| #
	| doveadm_port = 12345

	| service doveadm {
	|         # running dsync over tcp and using ssl
	|         #
added-->|         user = vmail
	|         inet_listener {
added-->|                 address = 1.2.3.4
	|                 port = 12345
	| #               ssl = yes
	|         }
	| }

	| plugin {
	|         # this host replicates to remote host
	|         #
	|         mail_replica = tcp:SERVER-A.TLD

That didn't work ...

| dovecot: doveadm(test): Error: doveadm_password not set, can't authenticate to remote server

... thus, I needed to add:

added-->| local 1.2.3.4 {
added-->|         # password for client authentication by doveadm server
added-->|         #
added-->|         doveadm_password = secret
added-->|         # allow client to only use specified list of commands (default is all):
added-->|         #
added-->|         #doveadm_allowed_commands = 
added-->| }

1. Question: may one include "secret" from a file?

Well, that runs like a charm!



Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' (see above) and adding ...

| # used by replicator/dsync over tcp
| #
| ssl_client_ca_dir = /<path-to>/ssl/certs

... and ...

| mail_replica = tcps:SERVER-A.TLD

But, this didn't work (logfile at remote server):

| dovecot: doveadm(test): Invalid certificate: self signed certificate: /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster at OTHER-NAME.TLD
| dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL certificate
| dovecot: doveadm(test): Error: sync: Disconnected from remote

The OTHER-NAME.TLD is served by my additional settings used by my MUAs:

| ssl_cert = </<path-to>/ssl/certs/OTHER-NAME.TLD.pem
| ssl_key = </<path-to>/ssl/private/OTHER-NAME.TLD.pem

I did supply SERVER-A.TLD certs and private certificates at both servers as well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync instead :-(

2. Question: May I config the certificate that should be used for replicator/dsync and that might be different from those used by my MUAs (other then pointing to '/<path-to>/ssl/certs')?


I am quite sure that I screwed my config somehow, but I cannot find the cause. Thus, someone?

Thanks, and with kind regards,
Michael

More information about the dovecot mailing list