On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uuser@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; }
#============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: turin.mrstuudio.ee doveadm_api_key = # hidden, use -P to show it dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} doveadm dsync-server -u %u mail_gid = vmail mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir mail_log_prefix = "%s(%u): " mail_plugins = quota notify replication mail_uid = vmail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = no special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_replica = remote:vmail@replica } protocols = imap lmtp service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service doveadm { inet_listener http { address = localhost port = 8080 } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { executable = lmtp -L } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 user = vmail } } service stats { unix_listener stats-writer { mode = 0666 } } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vmail gid=vmail driver = sql } protocol lmtp { mail_plugins = quota notify replication } protocol imap { imap_capability = +SPECIAL-USE imap_metadata = yes mail_max_userip_connections = 50 mail_plugins = quota notify replication imap_quota namespace inbox { location = mailbox Ham { autoexpunge = 365 days } mailbox Spam { autoexpunge = 365 days } mailbox Trash { autoexpunge = 180 days } prefix = } }
Thanks! Reio