Doveadm-sync SSH practicalities
Joseph Tam
jtam.home at gmail.com
Fri Aug 4 01:29:49 EEST 2017
Terry Jones wrote:
> The documentation is somewhat silent on this subject.
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem
implicit to what's been stated.
> What permissions does the SSH user need ?
To be able to run the doveadm executable (or a wrapper script that eventually
runs doveadm) on the remote side.
> How associated does it need to be with things like dovecot directory
> ownership etc ?
It will take uid/gid directly from the login privileges unless you use
a wrapper script that changes UID/GID. This may be necessary if you
use remote-prefix option for remapping virtual users and user at domain to
another UID/GID.
> Obviously my dovecot daemon processes are running as restricted users
> with "nologin" shells etc., and I don't really want to go opening
> them up if I don't have to.
It doesn't seem possible: you'll need to be able to set up the other
endpoint of communication. You may be able to lock down the shell
by replacing it with a fixed doveadm and arguments, or perhaps by fiddling
with keys and the forced command feature of ssh, after working out the
security issues.
Depending on your use-case, you might be better off using one of the other
transport methods. Do you actually need per-user syncing?
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list