LMTP during dsync migration

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 31 Jul 2014, Steffen Kaiser wrote:
> On Wed, 30 Jul 2014, Jogi Hofmüller wrote:
>
>>> Or better - disable LMTP service in Dovecot. Incoming mail will stay on
>>> your MTA and when you're done, you just tell it to deliver everything
>>> that piled up in the queue in the meantime
>> 
>> Better but still not perfect ;)  We have users that work late and I am
>> sure they would complain when they don't receive email during migration
>> nights.
>> 
>> Still thinking ...
>
> In your original post you've wrote "While migrating a mailbox". So you
> migrate one user after another. Also, if you want to disable LMTP for that
> user, you want to disable IMAP and POP3, too, for the very same reason ->
> or at least put them in read-only mode.
>
> 1) So, IMHO, your goal is to make the mail storage of one user read-only.
> Experiment with ACLs. Make all the mailboxes of the user read-only. After
> migration remove the ACLs.
>
> 2) Make the mail storage inaccessable during backup for just one user:
>
> How about adding another userdb { driver = passwd-file args = /.../%s/file
> } as the first one, which disables the access to the one user's mail
> storage currently migrated. %s would be lmtp, imap, pop3 and doveadm,
> IMHO. Make sure, doveadm sees no user in this userdb, but the others do,
> e.g. symlink the appropriate files and keep /.../doveadm/file
> zero-length, in order to fall back to LDAP always.
>
> In short: doveadm must know the real path, all other services a faked one.
>
> The migration of one user would be:
> put user in /.../{imap,pop3,lmtp}/file # or overwrite file with user
> doveadm auth cache flush # make sure, user info is not cached already
> migrate
> remove user from /.../file
>
> a)
> Besides the %s-way, there must be a way to have doveadm override the
> settings in:
>
> userdb {
> 	driver = passwd-file
> 	args = /.../file
> }
>
> in the line of:
> doveadm -o userdb[*]/args=/dev/null ....
>
> [*] IMHO you can specify which userdb section is meant by a number or
> something like that.
>
> b)
> Instead of to put/remove the user, you can overwrite the file, if there is
> just one user, and remove the file at the very end.

Maybe, you need not no other userdb, but you can make use of %s in your 
LDAP userdb - filter, e.g.

user_filter = (&(objectClass=posixAccount)(uid=%u)(!(deniedService=%Ls)))

however, you must test, if Dovecot's auth caching does honor the different 
values of %s in this case. I mean, if doveadm queries the user data, the 
result will be cached, if the LMTP service queries next: does it get the 
result of doveadm or not. I suppose, this applies to both variants.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU9nsCnz1H7kL/d9rAQIO9ggAuDB4ZlbD0kaZ6GmLILyHZZGCFX/+pldL
sciBDsi4i+jzhx9b+QyRZQBafl4SsbzDa+8Aima40HqfE4ixKptx/3y1k0ftcP02
ZWgs6jj8pgkY5x1s/hhhDoE5RRE2wXwNJTd9O96XiaryFxhBgMDWy2qiiUXBVILt
njB5udoU1WNH9TfdYPQVAHrC7YJbMAYzCb+7jM0HxFiwpwpiw9o59h7YwDx7D5/e
8hINfOTSWcU8tVBDNhjXRP3moawEGU2gkeBcA9ql6LCekLZm9f9mqZYrcbzdkWQJ
kkJHTChZ+RP+Rgf6auP+rxzpnuvzk5+gSDBtJixvCPslji6thsW+Sg==
=Khy7
-----END PGP SIGNATURE-----