[Dovecot] doveadm backup issue with ACL plugin enabled
Hi,
when trying to backup mailboxes I noticed some hiccups when the ACL plugin is enabled. It works fine with ACL disabled:
$ doveadm -o plugin/quota= backup -u tlx@leuxner.net mdbox:/home/backups/tlx/mdbox
However, enabled (and w/ a mailbox actually using ACLs) the following error occurs:
$ doveadm -o plugin/quota= backup -u tlx@leuxner.net mdbox:/home/backups/tlx/mdbox dsync(tlx@leuxner.net): Error: Couldn't update mailbox <name> metadata: Permission denied
I tried to override the ACL plugin via '-o' to no avail, but I may be using the wrong syntax there.
Regards Thomas
# 2.2.alpha1 (cd093d05037e): /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-0.bpo.4-amd64 x86_64 Debian 6.0.6 auth_cache_size = 16 k auth_verbose = yes mail_location = mdbox:~/mdbox mail_plugins = acl quota stats mailbox_list_index = yes namespace { list = yes location = mdbox:/var/vmail/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { hidden = no inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = username_format=%u /var/vmail/auth.d/%d/passwd driver = passwd-file } plugin { acl = vfile:/var/vmail/conf.d/%d/acls:cache_secs=300 mail_log_events = expunge mailbox_delete quota = dict:user::file:%h/mdbox/dovecot-quota quota_rule = *:storage=1GB quota_rule2 = Trash:storage=+10%% sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /var/vmail/conf.d/%d/sieve stats_refresh = 30s stats_track_cmds = yes } protocols = " imap lmtp" quota_full_tempfail = yes service auth-worker { unix_listener auth-worker { user = doveauth } user = doveauth } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = doveauth } service imap-login { inet_listener imap { address = 1.2.3.4 port = 143 } inet_listener imaps { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service stats { fifo_listener stats-mail { mode = 0600 user = vmail } } ssl_ca =
On 2.1.2013, at 13.41, Thomas Leuxner tlx@leuxner.net wrote:
when trying to backup mailboxes I noticed some hiccups when the ACL plugin is enabled. It works fine with ACL disabled:
$ doveadm -o plugin/quota= backup -u tlx@leuxner.net mdbox:/home/backups/tlx/mdbox
However, enabled (and w/ a mailbox actually using ACLs) the following error occurs:
$ doveadm -o plugin/quota= backup -u tlx@leuxner.net mdbox:/home/backups/tlx/mdbox dsync(tlx@leuxner.net): Error: Couldn't update mailbox <name> metadata: Permission denied
I tried to override the ACL plugin via '-o' to no avail, but I may be using the wrong syntax there.
http://hg.dovecot.org/dovecot-2.1/rev/721aba9128b9
I'll pull it to v2.2 among other changes today/tomorrow.
Am 04.01.2013 um 04:30 schrieb Timo Sirainen tss@iki.fi:
http://hg.dovecot.org/dovecot-2.1/rev/721aba9128b9
I'll pull it to v2.2 among other changes today/tomorrow.
Thanks. This makes me wonder what concept will be used for replicating/backing up ACLs going forward? Ideally those should also be part of the backup and sync to other sites, right?
On Fri, 2013-01-04 at 12:19 +0100, Thomas Leuxner wrote:
Am 04.01.2013 um 04:30 schrieb Timo Sirainen tss@iki.fi:
http://hg.dovecot.org/dovecot-2.1/rev/721aba9128b9
I'll pull it to v2.2 among other changes today/tomorrow.
Thanks. This makes me wonder what concept will be used for replicating/backing up ACLs going forward? Ideally those should also be part of the backup and sync to other sites, right?
Yeah.. I guess dsync will need to handle them. I've thought about this for a few years and always thought "hopefully I won't need to implement that soon". :)
v2.2 dsync protocol is extensible, although the code isn't so much. Maybe v2.3 dsync could support plugins and the acl plugin could do the syncing.. Or maybe simply hardcode dovecot-acl file syncing as "newest timestamp wins".
Am 04.01.2013 um 22:38 schrieb Timo Sirainen tss@iki.fi:
Yeah.. I guess dsync will need to handle them. I've thought about this for a few years and always thought "hopefully I won't need to implement that soon". :)
One of the steps surely beneficial to this would be implementing single file ACLs with wildcards (as discussed some time ago). This would take away the headache many ACL files per user would give...
On 5.1.2013, at 0.50, Thomas Leuxner tlx@leuxner.net wrote:
Am 04.01.2013 um 22:38 schrieb Timo Sirainen tss@iki.fi:
Yeah.. I guess dsync will need to handle them. I've thought about this for a few years and always thought "hopefully I won't need to implement that soon". :)
One of the steps surely beneficial to this would be implementing single file ACLs with wildcards (as discussed some time ago). This would take away the headache many ACL files per user would give...
That was only meant for global ACLs, not for per-user dovecot-acl files.
participants (2)
-
Thomas Leuxner
-
Timo Sirainen