Dovecot replication and userdb "noreplicate".
Hello!
I finally took the time and spent two days to set up replication for my server and now I have a question or two.
I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal?
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -u user@host.ee
Then I ended up setting mail_replica in userdb for only my test user, but I could still see in the logs that it was trying to sync the others as well, despite mail_replica being 0 for the rest.
Jun 22 20:52:59 host dovecot: doveadm(user@host.ee): Fatal: -N parameter requires syncing with remote host
I also notice (and read from recent posts) that sieve script replication doesn't work at all.
Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
Thanks, Reio PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :)
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Hello!
I finally took the time and spent two days to set up replication for my server and now I have a question or two.
I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal?
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -u user@host.ee
Then I ended up setting mail_replica in userdb for only my test user, but I could still see in the logs that it was trying to sync the others as well, despite mail_replica being 0 for the rest.
Jun 22 20:52:59 host dovecot: doveadm(user@host.ee): Fatal: -N parameter requires syncing with remote host
I also notice (and read from recent posts) that sieve script replication doesn't work at all.
Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
Thanks, Reio PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :)
Hi!
We are fixing this is 2.3.7, noreplicate works but causes errors. You can try https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you are compiling yourself.
Dovecot under selinux works, as long as you do it the way the policy writer intended, see https://linux.die.net/man/8/dovecot_selinux
Aki
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Hello!
I finally took the time and spent two days to set up replication for my server and now I have a question or two.
I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal?
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -u user@host.ee
Then I ended up setting mail_replica in userdb for only my test user, but I could still see in the logs that it was trying to sync the others as well, despite mail_replica being 0 for the rest.
Jun 22 20:52:59 host dovecot: doveadm(user@host.ee): Fatal: -N parameter requires syncing with remote host
I also notice (and read from recent posts) that sieve script replication doesn't work at all.
Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
Thanks, Reio PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :)
Hi!
We are fixing this is 2.3.7, noreplicate works but causes errors. You can try https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you are compiling yourself.
Dovecot under selinux works, as long as you do it the way the policy writer intended, see https://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; }
#============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh
Reio
On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uuser@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; }
#============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: turin.mrstuudio.ee doveadm_api_key = # hidden, use -P to show it dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} doveadm dsync-server -u %u mail_gid = vmail mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir mail_log_prefix = "%s(%u): " mail_plugins = quota notify replication mail_uid = vmail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = no special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_replica = remote:vmail@replica } protocols = imap lmtp service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service doveadm { inet_listener http { address = localhost port = 8080 } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { executable = lmtp -L } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 user = vmail } } service stats { unix_listener stats-writer { mode = 0666 } } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vmail gid=vmail driver = sql } protocol lmtp { mail_plugins = quota notify replication } protocol imap { imap_capability = +SPECIAL-USE imap_metadata = yes mail_max_userip_connections = 50 mail_plugins = quota notify replication imap_quota namespace inbox { location = mailbox Ham { autoexpunge = 365 days } mailbox Spam { autoexpunge = 365 days } mailbox Trash { autoexpunge = 180 days } prefix = } }
Thanks! Reio
On 06.08.2019 23:17, Reio Remma via dovecot wrote:
On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uuser@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; }
#============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
service doveadm { inet_listener http { address = localhost port = 8080 } }
service doveadm { user = vmail }
This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).
Reio
On 6 Aug 2019, at 23.52, Reio Remma via dovecot dovecot@dovecot.org wrote:
service doveadm { user = vmail }
This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).
There might be. What we usually is just allow dsync user to sudo doveadm dsync-server and then add sudo to dsync remote command.
Sami
On 07/08/2019 09:29, Sami Ketola wrote:
On 6 Aug 2019, at 23.52, Reio Remma via dovecot dovecot@dovecot.org wrote:
service doveadm { user = vmail }
This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts). There might be. What we usually is just allow dsync user to sudo doveadm dsync-server and then add sudo to dsync remote command.
Sami
Thanks! I'll keep it in mind in case I run into problems with doveadm as vmail. So far so good.
Thanks again! Reio
participants (3)
-
Aki Tuomi
-
Reio Remma
-
Sami Ketola