[Dovecot] replicator/dsync over tcp
Hi --
I am testing replicator/dsync over tcp, and I did run into some issues.
First of all I did need to extend http://wiki2.dovecot.org/Replication to get dsync over tcp running without ssl:
| # dsync over tcp default port
| #
| doveadm_port = 12345
| service doveadm {
| # running dsync over tcp and using ssl
| #added-->| user = vmail | inet_listener { added-->| address = 1.2.3.4 | port = 12345 | # ssl = yes | } | }
| plugin {
| # this host replicates to remote host
| #
| mail_replica = tcp:SERVER-A.TLDThat didn't work ...
| dovecot: doveadm(test): Error: doveadm_password not set, can't authenticate to remote server
... thus, I needed to add:
added-->| local 1.2.3.4 { added-->| # password for client authentication by doveadm server added-->| # added-->| doveadm_password = secret added-->| # allow client to only use specified list of commands (default is all): added-->| # added-->| #doveadm_allowed_commands = added-->| }
- Question: may one include "secret" from a file?
Well, that runs like a charm!
Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' (see above) and adding ...
| # used by replicator/dsync over tcp | # | ssl_client_ca_dir = /<path-to>/ssl/certs
... and ...
| mail_replica = tcps:SERVER-A.TLD
But, this didn't work (logfile at remote server):
| dovecot: doveadm(test): Invalid certificate: self signed certificate: /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster@OTHER-NAME.TLD | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL certificate | dovecot: doveadm(test): Error: sync: Disconnected from remote
The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
| ssl_cert =
I did supply SERVER-A.TLD certs and private certificates at both servers as well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync instead :-(
- Question: May I config the certificate that should be used for replicator/dsync and that might be different from those used by my MUAs (other then pointing to '/<path-to>/ssl/certs')?
I am quite sure that I screwed my config somehow, but I cannot find the cause. Thus, someone?
Thanks, and with kind regards, Michael
Hi --
On 24.03.2013, at 22:07, Michael Grimm trashcan@odo.in-berlin.de wrote:
Forgot: That is Dovecot v2.2.rc3 (33e78edac8f5+)
Regards, Michael
On 24.3.2013, at 23.07, Michael Grimm trashcan@odo.in-berlin.de wrote:
First of all I did need to extend http://wiki2.dovecot.org/Replication to get dsync over tcp running without ssl: .. | dovecot: doveadm(test): Error: doveadm_password not set, can't authenticate to remote server
Updated http://master.wiki2.dovecot.org/Replication with it.
- Question: may one include "secret" from a file?
Well, that runs like a charm!
name =
Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' (see above) and adding ...
| # used by replicator/dsync over tcp | # | ssl_client_ca_dir = /<path-to>/ssl/certs
... and ...
| mail_replica = tcps:SERVER-A.TLD
But, this didn't work (logfile at remote server):
| dovecot: doveadm(test): Invalid certificate: self signed certificate: /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster@OTHER-NAME.TLD | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL certificate | dovecot: doveadm(test): Error: sync: Disconnected from remote
The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
| ssl_cert =
I did supply SERVER-A.TLD certs and private certificates at both servers as well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync instead :-(
The SERVER-A.TLD needs to have a certificate that is signed by one of the CAs in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You can't use a self-signed cert, unless you put it into the CA dir (I don't know how exactly that works).
Timo Sirainen tss@iki.fi wrote:
On 24.3.2013, at 23.07, Michael Grimm trashcan@odo.in-berlin.de wrote:
First of all I did need to extend http://wiki2.dovecot.org/Replication to get dsync over tcp running without ssl: .. | dovecot: doveadm(test): Error: doveadm_password not set, can't authenticate to remote server
Updated http://master.wiki2.dovecot.org/Replication with it.
My point has been, that I needed to add ...
| local 1.2.3.4 { | doveadm_password = secret | }
... besides ...
| service doveadm { | inet_listener { | address = 1.2.3.4 | port = 12345 | } | }
... which I cannot find at http://master.wiki2.dovecot.org/Replication if I am not mistaken.
- Question: may one include "secret" from a file?
name =
Thanks, applied and working.
Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' (see above) and adding ...
| # used by replicator/dsync over tcp | # | ssl_client_ca_dir = /<path-to>/ssl/certs
... and ...
| mail_replica = tcps:SERVER-A.TLD
But, this didn't work (logfile at remote server):
| dovecot: doveadm(test): Invalid certificate: self signed certificate: /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster@OTHER-NAME.TLD | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL certificate | dovecot: doveadm(test): Error: sync: Disconnected from remote
The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
| ssl_cert =
I did supply SERVER-A.TLD certs and private certificates at both servers as well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync instead :-(
The SERVER-A.TLD needs to have a certificate that is signed by one of the CAs in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You can't use a self-signed cert, unless you put it into the CA dir (I don't know how exactly that works).
I did get tcps running in the meantime following:
- http://www.zytrax.com/tech/survival/ssl.html ("Method 3" plus "Multi-Server Certificates")
- postfix' documentation at http://www.postfix.org/TLS_README.html#server_cert_key (here I had to reverse order, meaning CA first)
- pointing ssl_cert, ssl_key to relevant files in /<path-to>/ssl/ca/certs and /<path-to>/ssl/ca/private, respectively
- ssl_client_ca_dir = /<path-to>/ssl/ca/certs
Question: Why is it neccessary to use ssl_cert/key settings from my CA although you state:
ssl_cert/key settings are irrelevant here.
Besides dovecot is synchronising as expected, I do get a lot of logfile entries like ...
| dovecot: dsync-local(test): Warning: I/O leak: 0x10b8cf20 (line 341, fd 14)
... and in addition if "verbose_ssl = yes" is set:
| dsync-remote(test): Warning: SSL alert: where=0x4004, ret=256: warning close notify
Hmm, I do have to admit that I do not understand SSL/TLS/CA/...!
Thus, I am uncertain whether to ignore those warnings or if my setup is broken in the first place?
All hints are highly appreciated, Michael
On 6.4.2013, at 15.20, Michael Grimm trashcan@odo.in-berlin.de wrote:
My point has been, that I needed to add ...
| local 1.2.3.4 { | doveadm_password = secret | }
... besides ...
| service doveadm { | inet_listener { | address = 1.2.3.4 | port = 12345 | } | }
... which I cannot find at http://master.wiki2.dovecot.org/Replication if I am not mistaken.
doveadm_password is there as a global setting, which works too.
I did get tcps running in the meantime following:
- http://www.zytrax.com/tech/survival/ssl.html ("Method 3" plus "Multi-Server Certificates")
- postfix' documentation at http://www.postfix.org/TLS_README.html#server_cert_key (here I had to reverse order, meaning CA first)
- pointing ssl_cert, ssl_key to relevant files in /<path-to>/ssl/ca/certs and /<path-to>/ssl/ca/private, respectively
- ssl_client_ca_dir = /<path-to>/ssl/ca/certs
Question: Why is it neccessary to use ssl_cert/key settings from my CA although you state:
ssl_cert/key settings are irrelevant here.
Oh, yeah, for doveadm server you need ssl_cert/key of course.
Besides dovecot is synchronising as expected, I do get a lot of logfile entries like ...
| dovecot: dsync-local(test): Warning: I/O leak: 0x10b8cf20 (line 341, fd 14)
Seems like a bug. A bit difficult to debug though. Do you see any errors before those warnings (or any errors at all)?
... and in addition if "verbose_ssl = yes" is set:
| dsync-remote(test): Warning: SSL alert: where=0x4004, ret=256: warning close notify
I think that's normal.
participants (2)
-
Michael Grimm
-
Timo Sirainen