[Dovecot] quota-status not working in distributed environment
Hello List
Quick overview of our set-up:
Postfix / Dovecot (2.2.2.1) / MySQL Cluster on (at the moment) three Servers to create a HA environment where you could easily add additional servers as the demand or load grows.
Circular dovecot replication is used so each server uses another one as replication partner and allowing one server to fail.
Dovecot Proxy Feature being used, so we can use round-robin DNS and each server can forward the connecting user to the correct 'master' for his mailbox.
So far, everything works as expected.
Now we want to reject emails to 'full' mailboxes during SMTP to prevent backscatter and use the quota-status policy service from within postfix.
That works fine, if the mailbox or it's replica is present on the machine where quota-status is called, but it fails if it's run on a machine where neither the mailbox or the replica is present. In our case, we get a correct SMTP 550 'Mailbox Full' Reject in two cases and a LMTP generated bounce in the later case.
Also doveadm quota get -u user@example.com
return the correct quota if run on the two machines which have the mailbox and
it's copy locale, but return 0% used if run on the other machine.
Is there a way to get quota-status to also use the proxy feature to request the quota information from the correct machine?
Or is the postfix policy daemon call to the quota-status socket documented somewhere (it must be, but where?) so we could implement it from within the Milter? (we use the sendmail Milter API from postfix to filter spam and viruses, do sender/recipient rewriting, forward bounce matching, rate limmiting, login/IP statistics to block botnets abusing phished addresses and legal intercept stuff anyway)
Kind regards
Benoit Panizzon
I m p r o W a r e A G -
Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch
At 12PM +0200 on 13/06/13 you (Benoit Panizzon) wrote:
Or is the postfix policy daemon call to the quota-status socket documented somewhere (it must be, but where?) so we could implement it from within the Milter? (we use the sendmail Milter API from postfix to filter spam and viruses, do sender/recipient rewriting, forward bounce matching, rate limmiting, login/IP statistics to block botnets abusing phished addresses and legal intercept stuff anyway)
The quota-status protocol is just the ordinary Postfix policy delegation protocol, documented in Postfix's SMTPD_POLICY_README. I would have thought that if you give 'service quota-status' an inet_listener you could have the Postfix policy check the quota on several machines over the network, though of course the policy protocol has absolutely no security so you may not want to do that.
Ben
Hi Ben
thank you for your reply.
The quota-status protocol is just the ordinary Postfix policy delegation protocol, documented in Postfix's SMTPD_POLICY_README. I would have thought that if you give 'service quota-status' an inet_listener you could have the Postfix policy check the quota on several machines over the network, though of course the policy protocol has absolutely no security so you may not want to do that.
Well security is not such an issue as the mailservers are in a lan where access from outside (to prevent direct access to LMTP and other ports) is restricted anyway. So yes, they could connect that policy port from each other. But doing three connects (or even more if we add more servers) for each incomming email could cause scaling issues or performance issues if one server becomes laggy for some reason. I read about the policy protocol. It's quite simple (compared with sendmail milter). I will directly connect to the policy service on the correct machine from wihtin the milter. The milter has to do a database query anyway so I get the mailbox hostname in the same query. So I can do a IO::Socket::INET connect to the right machine which knows the quota of that recipient.
Btw, the quota-status just return DUNNO or 'Quota Full'. Is there a similar easy way to check the ammount of quota used? I could then update that information in the database and use it to, for example find abandoned mailboxes.
Kind regards
Benoit Panizzon
I m p r o W a r e A G -
Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch
At 8AM +0200 on 14/06/13 you (Benoit Panizzon) wrote:
It's quite simple (compared with sendmail milter). I will directly connect to the policy service on the correct machine from wihtin the milter. The milter has to do a database query anyway so I get the mailbox hostname in the same query. So I can do a IO::Socket::INET connect to the right machine which knows the quota of that recipient.
Btw, the quota-status just return DUNNO or 'Quota Full'. Is there a similar easy way to check the ammount of quota used? I could then update that information in the database and use it to, for example find abandoned mailboxes.
Not as far as I know, but if you're talking to a database anyway why not get Dovecot to store its quota information in the database directly (see wiki2/Quota/Dict)? That way you don't need to talk to Dovecot at all.
Ben
On 14.6.2013, at 9.15, Benoit Panizzon <benoit.panizzon@imp.ch> wrote:
Is there a way to get quota-status to also use the proxy feature to request the quota information from the correct machine?
Looks like this is a missing feature. I first thought quota-status would go through doveadm protocol, which would make this work via doveadm proxying, but looks like it doesn't. Perhaps it optionally should.
Btw, the quota-status just return DUNNO or 'Quota Full'. Is there a similar easy way to check the ammount of quota used? I could then update that information in the database and use it to, for example find abandoned mailboxes.
doveadm quota get command can be used to ask for the user's current quota. You can ask the same via TCP protocol as well: http://wiki2.dovecot.org/Design/DoveadmProtocol
On 2013-06-16 21:46, Timo Sirainen wrote:
On 14.6.2013, at 9.15, Benoit Panizzon <benoit.panizzon@imp.ch> wrote:
Is there a way to get quota-status to also use the proxy feature to request the quota information from the correct machine?
Looks like this is a missing feature. I first thought quota-status would go through doveadm protocol, which would make this work via doveadm proxying, but looks like it doesn't. Perhaps it optionally should.
Any news on this? Seems strange to lose this feature when running Director.
-- Tom
On 27.07.2018 16:26, Tom Sommer wrote:
On 2013-06-16 21:46, Timo Sirainen wrote:
On 14.6.2013, at 9.15, Benoit Panizzon <benoit.panizzon@imp.ch> wrote:
Is there a way to get quota-status to also use the proxy feature to request the quota information from the correct machine?
Looks like this is a missing feature. I first thought quota-status would go through doveadm protocol, which would make this work via doveadm proxying, but looks like it doesn't. Perhaps it optionally should.
Any news on this? Seems strange to lose this feature when running Director.
-- Tom
We'll look into this.
Aki
participants (5)
-
Aki Tuomi
-
Ben Morrow
-
Benoit Panizzon
-
Timo Sirainen
-
Tom Sommer