Terry Jones wrote:
The documentation is somewhat silent on this subject.
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem implicit to what's been stated.
What permissions does the SSH user need ?
To be able to run the doveadm executable (or a wrapper script that eventually runs doveadm) on the remote side.
How associated does it need to be with things like dovecot directory ownership etc ?
It will take uid/gid directly from the login privileges unless you use a wrapper script that changes UID/GID. This may be necessary if you use remote-prefix option for remapping virtual users and user@domain to another UID/GID.
Obviously my dovecot daemon processes are running as restricted users with "nologin" shells etc., and I don't really want to go opening them up if I don't have to.
It doesn't seem possible: you'll need to be able to set up the other endpoint of communication. You may be able to lock down the shell by replacing it with a fixed doveadm and arguments, or perhaps by fiddling with keys and the forced command feature of ssh, after working out the security issues.
Depending on your use-case, you might be better off using one of the other transport methods. Do you actually need per-user syncing?
Joseph Tam <jtam.home@gmail.com>