Dovecot replication and userdb "noreplicate".

Reio Remma reio at mrstuudio.ee
Mon Jun 24 16:25:23 EEST 2019 

On 24.06.2019 8:21, Aki Tuomi wrote:
> On 22.6.2019 22.00, Reio Remma via dovecot wrote:
>> Hello!
>>
>> I finally took the time and spent two days to set up replication for
>> my server and now I have a question or two.
>>
>> I initially set noreplicate userdb field to 1 for all but a test user,
>> but I could still see in the logs that all mailboxes were trying to
>> connect to the other server via SSH. Is that normal?
>>
>> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error:
>> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
>> vmail backup.host.ee doveadm dsync-server -D -u user at host.ee
>>
>> Then I ended up setting mail_replica in userdb for only my test user,
>> but I could still see in the logs that it was trying to sync the
>> others as well, despite mail_replica being 0 for the rest.
>>
>> Jun 22 20:52:59 host dovecot: doveadm(user at host.ee): Fatal: -N
>> parameter requires syncing with remote host
>>
>> I also notice (and read from recent posts) that sieve script
>> replication doesn't work at all.
>>
>> Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
>>
>> Thanks,
>> Reio
>> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
>> as usual. :)
>
> Hi!
>
> We are fixing this is 2.3.7, noreplicate works but causes errors. You
> can try
> https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you
> are compiling yourself.
>
> Dovecot under selinux works, as long as you do it the way the policy
> writer intended, see https://linux.die.net/man/8/dovecot_selinux
>
> Aki

For replication over SSH I had to add the following module:

module selinux-dovecot-replication-ssh 1.0;

require {
         type ssh_exec_t;
         type ssh_home_t;
         type dovecot_t;
         class file { open read execute execute_no_trans };
         class dir { getattr search };
}

#============= dovecot_t ==============
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };


ssh_exec_t to allow Dovecot to use ssh executable in the first place and 
ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts 
from /root/.ssh

Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190624/04e2e4e7/attachment.html>

More information about the dovecot mailing list