Properly "locking" a useraccount (on a proxy)
I'm preparing a migration of several mailboxes to another machine. The different useraccounts are distributed to different backend machines by means of a dovecot LMTP/IMAP/POP proxy.
Proxying is working really well (now that the kernel does as it should).
But how can I "lock" a user during migration?
The plan is:
- lock the user
- kick the user (doveadm kick)
- migrate mailbox (some rsync magic)
- unlock the user again
But how would I lock the user?
What locking needs to achieve:
- Disallow IMAP/POP login (that's easy!)
- defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
Because currently, we're seeing dovecot trying local delivery on the proxy machine once an account is locked (probably because LMTP proxying uses passdb lookups, and since that one is failing it's using the userdb lookup?):
Oct 21 20:15:27 lmtp(87892): Error: user sys4@test.invalid: Initialization failed: Namespace '': mkdir(/var/mail/test.invalid/sys4/mdbox/mailboxes) failed: Permission denied (euid=10000(vmail) egid=10000(vmail) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
Admittedly, this is somehow working. But it's not very elegant to use a side-effect. Is the a reserved userdb/passwd return value which will let dovecot "tempfail" in a n elegant fashion?
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- Ralf Hildebrandt r@sys4.de:
- defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
I could of course put a mysql: query into postfix which would return
user@domain retry:
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi,
Am 21.10.2014 20:37, schrieb Ralf Hildebrandt:
- Ralf Hildebrandt r@sys4.de:
- defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
I could of course put a mysql: query into postfix which would return
user@domain retry:
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account
Why do you not put the mails on hold in some frontend postfix queue (i think you have) with a check_recipient_access table? We did that during our last migration from an old CGP system.
Ok, it's not the elegant way but for us it worked.
Am 21.10.2014 um 20:37 schrieb Ralf Hildebrandt:
- Ralf Hildebrandt r@sys4.de:
- defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
I could of course put a mysql: query into postfix which would return
user@domain retry:
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account
in sql postfixadmin schema there is an "active" flag 0 vs 1 per user
smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, permit_mynetworks, check_recipient_access mysql:/etc/postfix/mysql_virtual_inactive_mailaddress.cf
i use configured it as
query = SELECT CONCAT('REJECT mailaddress %s is set in inactive mode') address FROM mailbox WHERE username='%s' AND active = '0'
you may use not REJECT but
http://www.postfix.org/access.5.html
421 text (Postfix 2.3 and later) which is tmp error
dovecot site may look like this
/etc/dovecot/dovecot-sql.conf.ext
password_query = SELECT username as user, password,
1001 as userdb_uid,
1001 as userdb_gid,
"/usr/local/virtual/%d/%u/" AS userdb_home,
"maildir:/usr/local/virtual/%d/%u/" AS userdb_mail
FROM mailbox WHERE username = '%u' AND active = '1'
but to be honest, its a long time ago i tested this feature, and in real world nobody seems to use "active" settings
however perhaps you can adapt this idea to fit in your setup somehow
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account
Setup postfix to check the recipient account is active, then set a temp new password while move mail to the new server, when its done change password back to user, and setup postfix to know its active again
- Benny Pedersen dovecot@dovecot.org:
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account
Setup postfix to check the recipient account is active, then set a temp new password while move mail to the new server, when its done change password back to user, and setup postfix to know its active again
See my "lazy" comment above.
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On October 22, 2014 2:22:52 PM Ralf Hildebrandt r@sys4.de wrote:
- Benny Pedersen dovecot@dovecot.org:
Not my domain :)
See my "lazy" comment above.
If active state 2, then update postfix maps to query this, with a key result of defer if permit :)
And dovecot auth to include active 1 or 2, then you manage the sql data in one place
On 21 Oct 2014, at 11:27, Ralf Hildebrandt r@sys4.de wrote:
But how can I "lock" a user during migration?
The plan is:
- lock the user
- kick the user (doveadm kick)
- migrate mailbox (some rsync magic)
- unlock the user again
Alternative is to use "doveadm sync" and you don't necessarily even need to lock anything at all.
But how would I lock the user?
What locking needs to achieve:
- Disallow IMAP/POP login (that's easy!)
Yeah, many ways.
- defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
LMTP proxy does a passdb lookup. I'm not sure if there's any good way to fail in here. I was planning to suggest allow_nets=0.0.0.0/32 but looks like LMTP proxying just ignores that. Fixed now: http://hg.dovecot.org/dovecot-2.2/rev/3a8b417b0b80
LMTP backend does a userdb lookup. Userdb lookup can return either "user doesn't exist" or "temporary failure". Nothing else. You can have it return a temporary failure by having it return "tempfail" extra field.
participants (5)
-
Benny Pedersen
-
Ralf Hildebrandt
-
Robert Schetterer
-
Timo Sirainen
-
Urban Loesch