Doveadm-sync SSH practicalities

Joseph Tam jtam.home at gmail.com
Sat Aug 5 02:00:00 EEST 2017 

On Fri, 4 Aug 2017, Terry Jones wrote:

>> If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem
>> implicit to what's been stated.
>
> Yes, I do mean that address, I read that page four times and was still
> none the wiser.
> <rant-mode>And to be completely frank with you, if documentation
> relies on "implicit" guesswork and expects the user to "read between
> the lines" then in my books it is poor documentation !  </rant-mode>

I didn't mean to criticize your comprehension skills.  *All* documents
assume some level of knowledge.  If it was written to the level of
an absolute neophyte, it would be tediously long and nearly unreadable.

Of course, if it leaves out important details or targetted at gurus, it
would also be useless.  As someone who has to write technical doucments,
it's hard to strike a balance.

In this case, it assumes basic knowledge of ssh, file permissions and
possibly how the parts of dovecot interact.

>> To be able to run the doveadm executable (or a wrapper script that
>> eventually runs doveadm) on the remote side.
>
> Sure, but my question was does it need to be the dovecot user itself ?

I doubt it.  Dovecot daemon users are meant to limit privilege, not
extend it.  It's mainly to compartimentalize access so that breaches
doesn't lead to total system compromise.

> For example, on one server I have a root crontab that calls
> "/usr/bin/doveadm expunge" and that seems to work fine even though it
> is not running as the dovecot user but just root calling doveadm ?

It's not a surprise you can expunge user data as root, since it's
the one account one account that can access all resources regardless
of permissions.  Which conveniently leads us to ...

>> Depending on your use-case, you might be better off using one of the other
>> transport methods.  Do you actually need per-user syncing?
>
> No, I don't need per-user syncing as it happens.   I just want to use
> the sync feature to push backups to other server(s) for DR purposes.
> So if you have better suggestions that would fit that use-case, I'm
> open to suggestions !

So you don't need per-user syncing, but rather, site-wide syncing.
You can probably run "doveadm sync -A ..." as root and ssh pipe it to
your DR server's root account.  The simplest invocation might be like

 	doveadm dsync -A remote:root at drhost

(I'll let you read the man page on how to do user subsets!)

Or you can set up a TCP transport on your DR server like this random URL
I Googled

 	https://blog.schaal-24.de/uncategorized/mails-mit-dovecot-ueber-tcp-syncen/

and skip ssh altogther.

Big caveat: I don't run any syncing, so I don't actually have practical
experience doing it (but many on this list do, so I defer to their
superior knowledge).  All the information I wrote above is derived from
reading the man page, and implicit knowledge.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list