Terry Jones wrote:
The documentation is somewhat silent on this subject.
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem implicit to what's been stated.
What permissions does the SSH user need ?
To be able to run the doveadm executable (or a wrapper script that eventually runs doveadm) on the remote side.
How associated does it need to be with things like dovecot directory ownership etc ?
It will take uid/gid directly from the login privileges unless you use a wrapper script that changes UID/GID. This may be necessary if you use remote-prefix option for remapping virtual users and user@domain to another UID/GID.
Obviously my dovecot daemon processes are running as restricted users with "nologin" shells etc., and I don't really want to go opening them up if I don't have to.
It doesn't seem possible: you'll need to be able to set up the other endpoint of communication. You may be able to lock down the shell by replacing it with a fixed doveadm and arguments, or perhaps by fiddling with keys and the forced command feature of ssh, after working out the security issues.
Depending on your use-case, you might be better off using one of the other transport methods. Do you actually need per-user syncing?
Joseph Tam <jtam.home@gmail.com>
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem implicit to what's been stated.
Yes, I do mean that address, I read that page four times and was still none the wiser. <rant-mode>And to be completely frank with you, if documentation relies on "implicit" guesswork and expects the user to "read between the lines" then in my books it is poor documentation ! </rant-mode>
To be able to run the doveadm executable (or a wrapper script that eventually runs doveadm) on the remote side.
Sure, but my question was does it need to be the dovecot user itself ? For example, on one server I have a root crontab that calls "/usr/bin/doveadm expunge" and that seems to work fine even though it is not running as the dovecot user but just root calling doveadm ?
Depending on your use-case, you might be better off using one of the other transport methods. Do you actually need per-user syncing?
No, I don't need per-user syncing as it happens. I just want to use the sync feature to push backups to other server(s) for DR purposes. So if you have better suggestions that would fit that use-case, I'm open to suggestions !
Thanks !
On Fri, 4 Aug 2017, Terry Jones wrote:
If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem implicit to what's been stated.
Yes, I do mean that address, I read that page four times and was still none the wiser. <rant-mode>And to be completely frank with you, if documentation relies on "implicit" guesswork and expects the user to "read between the lines" then in my books it is poor documentation ! </rant-mode>
I didn't mean to criticize your comprehension skills. *All* documents assume some level of knowledge. If it was written to the level of an absolute neophyte, it would be tediously long and nearly unreadable.
Of course, if it leaves out important details or targetted at gurus, it would also be useless. As someone who has to write technical doucments, it's hard to strike a balance.
In this case, it assumes basic knowledge of ssh, file permissions and possibly how the parts of dovecot interact.
To be able to run the doveadm executable (or a wrapper script that eventually runs doveadm) on the remote side.
Sure, but my question was does it need to be the dovecot user itself ?
I doubt it. Dovecot daemon users are meant to limit privilege, not extend it. It's mainly to compartimentalize access so that breaches doesn't lead to total system compromise.
For example, on one server I have a root crontab that calls "/usr/bin/doveadm expunge" and that seems to work fine even though it is not running as the dovecot user but just root calling doveadm ?
It's not a surprise you can expunge user data as root, since it's the one account one account that can access all resources regardless of permissions. Which conveniently leads us to ...
Depending on your use-case, you might be better off using one of the other transport methods. Do you actually need per-user syncing?
No, I don't need per-user syncing as it happens. I just want to use the sync feature to push backups to other server(s) for DR purposes. So if you have better suggestions that would fit that use-case, I'm open to suggestions !
So you don't need per-user syncing, but rather, site-wide syncing. You can probably run "doveadm sync -A ..." as root and ssh pipe it to your DR server's root account. The simplest invocation might be like
doveadm dsync -A remote:root@drhost(I'll let you read the man page on how to do user subsets!)
Or you can set up a TCP transport on your DR server like this random URL I Googled
https://blog.schaal-24.de/uncategorized/mails-mit-dovecot-ueber-tcp-syncen/and skip ssh altogther.
Big caveat: I don't run any syncing, so I don't actually have practical experience doing it (but many on this list do, so I defer to their superior knowledge). All the information I wrote above is derived from reading the man page, and implicit knowledge.
Joseph Tam <jtam.home@gmail.com>
participants (2)
-
Joseph Tam
-
Terry Jones