Dovecot replication and userdb "noreplicate".

Tue Aug 6 23:17:27 EEST 2019

On 24.06.2019 16:25, Reio Remma wrote:
> On 24.06.2019 8:21, Aki Tuomi wrote:
>> On 22.6.2019 22.00, Reio Remma via dovecot wrote:
>>> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error:
>>> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
>>> vmail backup.host.ee doveadm dsync-server -D -uuser at host.ee
>>>
>>> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
>>> as usual. :)
>> Dovecot under selinux works, as long as you do it the way the policy
>> writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
>>
>> Aki
>
> For replication over SSH I had to add the following module:
>
> module selinux-dovecot-replication-ssh 1.0;
>
> require {
>          type ssh_exec_t;
>          type ssh_home_t;
>          type dovecot_t;
>          class file { open read execute execute_no_trans };
>          class dir { getattr search };
> }
>
> #============= dovecot_t ==============
> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
> allow dovecot_t ssh_home_t:dir { getattr search };
> allow dovecot_t ssh_home_t:file { open read };
>
> ssh_exec_t to allow Dovecot to use ssh executable in the first place 
> and ssh_home_t:dir + ssh_home_t:file for it to be able to read 
> known_hosts from /root/.ssh
>
> Reio

To cut down on selinux exceptions I put the destination host in 
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I 
get the following log entry for every replicator action:

Aug  6 22:25:59 turin dovecot: doveadm: Error: Could not create 
directory '/root/.ssh'.

Replication is set up with the user vmail (/home/vmail and SSH key in 
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read 
the key is:

allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };

Is there a way I can change from root to vmail user for creating the SSH 
connection?

Doveconf below:

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 
7.6.1810 (Core)
# Hostname: turin.mrstuudio.ee
doveadm_api_key = # hidden, use -P to show it
dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} 
doveadm dsync-server -u %u
mail_gid = vmail
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%u): "
mail_plugins = quota notify replication
mail_uid = vmail
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location =
   mailbox "Deleted Messages" {
     auto = no
     special_use = \Trash
   }
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Junk {
     auto = no
     special_use = \Junk
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     auto = no
     special_use = \Sent
   }
   mailbox Spam {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   prefix = INBOX.
   separator = .
   type = private
}
passdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
plugin {
   mail_replica = remote:vmail at replica
}
protocols = imap lmtp
service aggregator {
   fifo_listener replication-notify-fifo {
     user = vmail
   }
   unix_listener replication-notify {
     user = vmail
   }
}
service doveadm {
   inet_listener http {
     address = localhost
     port = 8080
   }
}
service imap-login {
   inet_listener imap {
     port = 0
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service lmtp {
   executable = lmtp -L
}
service replicator {
   process_min_avail = 1
   unix_listener replicator-doveadm {
     mode = 0600
     user = vmail
   }
}
service stats {
   unix_listener stats-writer {
     mode = 0666
   }
}
userdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   default_fields = uid=vmail gid=vmail
   driver = sql
}
protocol lmtp {
   mail_plugins = quota notify replication
}
protocol imap {
   imap_capability = +SPECIAL-USE
   imap_metadata = yes
   mail_max_userip_connections = 50
   mail_plugins = quota notify replication imap_quota
   namespace inbox {
     location =
     mailbox Ham {
       autoexpunge = 365 days
     }
     mailbox Spam {
       autoexpunge = 365 days
     }
     mailbox Trash {
       autoexpunge = 180 days
     }
     prefix =
   }
}

Thanks!
Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190806/d8a313ca/attachment.html>