Properly "locking" a useraccount (on a proxy)

Ralf Hildebrandt r at sys4.de
Tue Oct 21 18:27:29 UTC 2014


I'm preparing a migration of several mailboxes to another machine.
The different useraccounts are distributed to different backend
machines by means of a dovecot LMTP/IMAP/POP proxy.

Proxying is working really well (now that the kernel does as it should).

But how can I "lock" a user during migration?

The plan is:
============

* lock the user
* kick the user (doveadm kick)
* migrate mailbox (some rsync magic)
* unlock the user again

But how would I lock the user?

What locking needs to achieve:

1) Disallow IMAP/POP login (that's easy!)
2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)

Because currently, we're seeing dovecot trying local delivery on the
proxy machine once an account is locked (probably because LMTP
proxying uses passdb lookups, and since that one is failing it's using
the userdb lookup?):

Oct 21 20:15:27 lmtp(87892): Error: user sys4 at test.invalid: Initialization failed: Namespace '':
mkdir(/var/mail/test.invalid/sys4/mdbox/mailboxes) failed: Permission denied (euid=10000(vmail) egid=10000(vmail) missing +w perm:
/var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)

Admittedly, this is somehow working. But it's not very elegant to use a
side-effect. Is the a reserved userdb/passwd return value which will let
dovecot "tempfail" in a n elegant fashion?

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the dovecot mailing list