Migrate system users to virtual users
List, good afternoon,
We are at the planning stage of wanting to migrate from an existing installation onto a new machine, and also to change from system users to virtual users. May I check that our ideas for user id are correct?
I am not sure whether we will encounter a 'permissions' and 'user id' problem when moving from a system-user scheme to a virtual scheme. We use Maildir, and the maildirs at the moment are in their users' linux /home directories.
After reading the wiki, we think that the 'single system user for vmail' arrangement, ie just one system user to manage all the mail for all virtual users, will work for us. I think that means that the permissions on all our existing 'system-user-oriented' maildirs will have to be changed (in the new machine) so that they are owned by the 'single-system-user', such as 'vmail'.
One thought was to first copy the existing maildirs into the new virtual user file system tree, and then, second, change the owners and permissions on the maildirs and directories and messages to permit control by 'vmail'. From the point of view of transferring all the mail files, is that all we would have to do? (Of course, we would also have to create the virtual users and their passwords, and arrange the appropriate password lookups etc, but that's not the direct topic of this post. And that arrangement has to be compatible with the MTA, as well.)
If we do copy the maildirs and change the permissions, does all the metadata that the clients, or Dovecot, use to detect new, existing, or downloaded mail remain valid? Or should we use a different approach?
Grateful for any comment
regards, Ron
On 2014-11-13 12:29, Ron Leach wrote:
List, good afternoon,
We are at the planning stage of wanting to migrate from an existing installation onto a new machine, and also to change from system users to virtual users. May I check that our ideas for user id are correct?
I am not sure whether we will encounter a 'permissions' and 'user id' problem when moving from a system-user scheme to a virtual scheme. We use Maildir, and the maildirs at the moment are in their users' linux /home directories.
After reading the wiki, we think that the 'single system user for vmail' arrangement, ie just one system user to manage all the mail for all virtual users, will work for us. I think that means that the permissions on all our existing 'system-user-oriented' maildirs will have to be changed (in the new machine) so that they are owned by the 'single-system-user', such as 'vmail'.
One thought was to first copy the existing maildirs into the new virtual user file system tree, and then, second, change the owners and permissions on the maildirs and directories and messages to permit control by 'vmail'. From the point of view of transferring all the mail files, is that all we would have to do? (Of course, we would also have to create the virtual users and their passwords, and arrange the appropriate password lookups etc, but that's not the direct topic of this post. And that arrangement has to be compatible with the MTA, as well.)
That is what I did with a system account that I migrated a few months back and it worked out well.
If we do copy the maildirs and change the permissions, does all the metadata that the clients, or Dovecot, use to detect new, existing, or downloaded mail remain valid? Or should we use a different approach?
Hopefully someone with more experience will chime in and answer the particulars re metadata, but I did just what you're talking about and didn't have any problems; granted I was working with a test account with minimal data. I went from a setup like you described where I had /home/user/Maildir and migrated that content to /var/vmail/domain/user/Maildir and set the new system account as the user:group recursively. That setup has been working fine since. I initially made the mistake of leaving out the 'Maildir' subdirectory for the content, but after receiving some advice here on the list I corrected that mistake.
On 11/13/2014 01:29 PM, Ron Leach wrote:
If we do copy the maildirs and change the permissions, does all the metadata that the clients, or Dovecot, use to detect new, existing, or downloaded mail remain valid? Or should we use a different approach?
/srv/mail/domains/example.com/exampleuser << This would be your 'home' in dovecot terms. Typically sieve files/directory/symlinks would be stored below this point. /srv/mail/domains/example.com/exampleuser/Maildir << This would be your Maildir.
You have two items: home, and maildir. If you copy the maildir, you have everything, except for anything else that dovecot might be storing outside the Maildir, in the home directory. This would typically be sieve stuff, as mentioned. Take a look and see. Review your config etc. But in terms of what you specifically asked - just keeping track of messages and their flags, it's all within the Maildir, positive.
The Maildir does not need to be a subdirectory of the home directory, this is just my example.
One other thing that is possible in dovecot is separate storage for indexes, but if you're doing that, I would think that you should know you are :-)
participants (3)
-
deoren
-
Gedalya
-
Ron Leach