On Fri, 4 Aug 2017, Terry Jones wrote:
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem implicit to what's been stated.
Yes, I do mean that address, I read that page four times and was still none the wiser. <rant-mode>And to be completely frank with you, if documentation relies on "implicit" guesswork and expects the user to "read between the lines" then in my books it is poor documentation ! </rant-mode>
I didn't mean to criticize your comprehension skills. *All* documents assume some level of knowledge. If it was written to the level of an absolute neophyte, it would be tediously long and nearly unreadable.
Of course, if it leaves out important details or targetted at gurus, it would also be useless. As someone who has to write technical doucments, it's hard to strike a balance.
In this case, it assumes basic knowledge of ssh, file permissions and possibly how the parts of dovecot interact.
To be able to run the doveadm executable (or a wrapper script that eventually runs doveadm) on the remote side.
Sure, but my question was does it need to be the dovecot user itself ?
I doubt it. Dovecot daemon users are meant to limit privilege, not extend it. It's mainly to compartimentalize access so that breaches doesn't lead to total system compromise.
For example, on one server I have a root crontab that calls "/usr/bin/doveadm expunge" and that seems to work fine even though it is not running as the dovecot user but just root calling doveadm ?
It's not a surprise you can expunge user data as root, since it's the one account one account that can access all resources regardless of permissions. Which conveniently leads us to ...
Depending on your use-case, you might be better off using one of the other transport methods. Do you actually need per-user syncing?
No, I don't need per-user syncing as it happens. I just want to use the sync feature to push backups to other server(s) for DR purposes. So if you have better suggestions that would fit that use-case, I'm open to suggestions !
So you don't need per-user syncing, but rather, site-wide syncing. You can probably run "doveadm sync -A ..." as root and ssh pipe it to your DR server's root account. The simplest invocation might be like
doveadm dsync -A remote:root@drhost
(I'll let you read the man page on how to do user subsets!)
Or you can set up a TCP transport on your DR server like this random URL I Googled
https://blog.schaal-24.de/uncategorized/mails-mit-dovecot-ueber-tcp-syncen/
and skip ssh altogther.
Big caveat: I don't run any syncing, so I don't actually have practical experience doing it (but many on this list do, so I defer to their superior knowledge). All the information I wrote above is derived from reading the man page, and implicit knowledge.
Joseph Tam <jtam.home@gmail.com>