[Dovecot] migrating/converting from system users -> virtual users
Hello all,
We currently have a traditional mail server where all users have system accounts (ie entries in the NIS passwd map) and mbox-format mail folders in their (system) home directories.
I'm trying to setup a dovecot server in which we want all users to have "virtual" accounts (in dovecot) and no entry in the passwd file at all (ie no access to the mail server).
This is for security reasons, we want to imagine that users connecting to the mail server in future will not be able to access any resources on the server other than access their email messages. To this end we've set up a "vmail" user that owns all the messages in the Maildir directories.
Most of this is working but I'm stuck on how to convert users' mail folders from the existing setup to the new one. I'm using the convert plugin but of course the problem is that the plugin executes as the "vmail" user and cannot access the existing mail folders that belong to the users: and I'd be worried if it could, of course!
So I've converted a few users already by making copies of their old-world mailboxes, changing the ownership of the copies and pointing the convert plugin to these copies, instead of the originals.
This works (modulo the dreaded "timeouted" error messages) but is very ugly.
So I tried looking at the convert-tool but can't find a man page for it so am not sure what I'm doing with it!
I have the idea that I should be able to run some command (as a privileged user) on the mail server and have it do the conversion for me, changing the ownership/permissions on the way.
Can convert-tool do this?
I'd prefer to go with the automatic (plugin) conversion if I can bodge the ownership issues somehow. Failing that, some tool or script may be the next best answer.
This is Dovecot 1.2 by the way on Solaris 10.
Any suggestions would be welcome!
Steve Platt
On 28.2.2012, at 19.45, Steve Platt wrote:
Most of this is working but I'm stuck on how to convert users' mail folders from the existing setup to the new one. I'm using the convert plugin but of course the problem is that the plugin executes as the "vmail" user and cannot access the existing mail folders that belong to the users: and I'd be worried if it could, of course!
Convert plugin also has some other problems.
I have the idea that I should be able to run some command (as a privileged user) on the mail server and have it do the conversion for me, changing the ownership/permissions on the way.
Can convert-tool do this?
Possibly, but I remember it had some problems. The best solution would be to use Dovecot v2.0's dsync. Also you can use one of the scripts in http://wiki2.dovecot.org/Migration/MailFormat such as mb2md.
I'd prefer to go with the automatic (plugin) conversion if I can bodge the ownership issues somehow. Failing that, some tool or script may be the next best answer.
You could set mail_drop_priv_before_exec=yes, mail_access_groups=vmail and chgrp vmail, chmod g+rw the old mailboxes.
Thank you for your help, Timo.
use Dovecot v2.0's dsync
I gather from your reply that it's OK to use Dovecot 2.0 utilities (eg dsync) on a dovecot (v1) installation; presumably with its own configuration file(s).
You could set mail_drop_priv_before_exec=yes ... chgrp vmail ...
Yes, I think we could do that; I should have thought of it myself, thanks again.
I think there was one other problem with the automatic conversion which I've now remembered: I note that the first time a user connects to th eimap service dovecot creates their (virtual) home directory for them with all the right permissions. That's great and I use the existence of that directory as an indication to our MTA that the user wants delivery into the dovecot store rather than their old system mailbox. However once I tried using the convert plugin the process fails because (it seems) the conversion tries to take place before the home directory has been created.
Is there any configuration change that might change this order?
Can I configure the convert plugin on LDA delivery, for example, instead of as part of the "protocol imap" section?
Many thanks, Steve Platt
On 8.3.2012, at 20.46, Steve Platt wrote:
use Dovecot v2.0's dsync
I gather from your reply that it's OK to use Dovecot 2.0 utilities (eg dsync) on a dovecot (v1) installation; presumably with its own configuration file(s).
Yes, although in some situations it might write stuff to index files that v1.x complains about. But deleting index files afterwards fixes that.
You could set mail_drop_priv_before_exec=yes ... chgrp vmail ...
Yes, I think we could do that; I should have thought of it myself, thanks again.
I think there was one other problem with the automatic conversion which I've now remembered: I note that the first time a user connects to th eimap service dovecot creates their (virtual) home directory for them with all the right permissions. That's great and I use the existence of that directory as an indication to our MTA that the user wants delivery into the dovecot store rather than their old system mailbox. However once I tried using the convert plugin the process fails because (it seems) the conversion tries to take place before the home directory has been created.
Is there any configuration change that might change this order?
No.
Can I configure the convert plugin on LDA delivery, for example, instead of as part of the "protocol imap" section?
Yes.
participants (2)
-
Steve Platt
-
Timo Sirainen