-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 31 Jul 2014, Steffen Kaiser wrote:
On Wed, 30 Jul 2014, Jogi Hofmüller wrote:
Or better - disable LMTP service in Dovecot. Incoming mail will stay on your MTA and when you're done, you just tell it to deliver everything that piled up in the queue in the meantime
Better but still not perfect ;) We have users that work late and I am sure they would complain when they don't receive email during migration nights.
Still thinking ...
In your original post you've wrote "While migrating a mailbox". So you migrate one user after another. Also, if you want to disable LMTP for that user, you want to disable IMAP and POP3, too, for the very same reason -> or at least put them in read-only mode.
So, IMHO, your goal is to make the mail storage of one user read-only. Experiment with ACLs. Make all the mailboxes of the user read-only. After migration remove the ACLs.
Make the mail storage inaccessable during backup for just one user:
How about adding another userdb { driver = passwd-file args = /.../%s/file } as the first one, which disables the access to the one user's mail storage currently migrated. %s would be lmtp, imap, pop3 and doveadm, IMHO. Make sure, doveadm sees no user in this userdb, but the others do, e.g. symlink the appropriate files and keep /.../doveadm/file zero-length, in order to fall back to LDAP always.
In short: doveadm must know the real path, all other services a faked one.
The migration of one user would be: put user in /.../{imap,pop3,lmtp}/file # or overwrite file with user doveadm auth cache flush # make sure, user info is not cached already migrate remove user from /.../file
a) Besides the %s-way, there must be a way to have doveadm override the settings in:
userdb { driver = passwd-file args = /.../file }
in the line of: doveadm -o userdb[*]/args=/dev/null ....
[*] IMHO you can specify which userdb section is meant by a number or something like that.
b) Instead of to put/remove the user, you can overwrite the file, if there is just one user, and remove the file at the very end.
Maybe, you need not no other userdb, but you can make use of %s in your LDAP userdb - filter, e.g.
user_filter = (&(objectClass=posixAccount)(uid=%u)(!(deniedService=%Ls)))
however, you must test, if Dovecot's auth caching does honor the different values of %s in this case. I mean, if doveadm queries the user data, the result will be cached, if the LMTP service queries next: does it get the result of doveadm or not. I suppose, this applies to both variants.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU9nsCnz1H7kL/d9rAQIO9ggAuDB4ZlbD0kaZ6GmLILyHZZGCFX/+pldL sciBDsi4i+jzhx9b+QyRZQBafl4SsbzDa+8Aima40HqfE4ixKptx/3y1k0ftcP02 ZWgs6jj8pgkY5x1s/hhhDoE5RRE2wXwNJTd9O96XiaryFxhBgMDWy2qiiUXBVILt njB5udoU1WNH9TfdYPQVAHrC7YJbMAYzCb+7jM0HxFiwpwpiw9o59h7YwDx7D5/e 8hINfOTSWcU8tVBDNhjXRP3moawEGU2gkeBcA9ql6LCekLZm9f9mqZYrcbzdkWQJ kkJHTChZ+RP+Rgf6auP+rxzpnuvzk5+gSDBtJixvCPslji6thsW+Sg== =Khy7 -----END PGP SIGNATURE-----