<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 24.06.2019 16:25, Reio Remma wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8f47d6de-3f0c-7ede-30cd-41adcf20ba61@mrstuudio.ee">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">On 24.06.2019 8:21, Aki Tuomi wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5ba1cedc-c6e2-1943-b5cc-3c86d8f6fed4@open-xchange.com">
<pre class="moz-quote-pre" wrap="">On 22.6.2019 22.00, Reio Remma via dovecot wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Jun 22 16:55:22 host dovecot: dsync-local(<a class="moz-txt-link-abbreviated" href="mailto:user@host.ee" moz-do-not-send="true">user@host.ee</a>)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -u <a class="moz-txt-link-abbreviated" href="mailto:user@host.ee" moz-do-not-send="true">user@host.ee</a>
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Dovecot under selinux works, as long as you do it the way the policy
writer intended, see <a class="moz-txt-link-freetext" href="https://linux.die.net/man/8/dovecot_selinux" moz-do-not-send="true">https://linux.die.net/man/8/dovecot_selinux</a>
Aki
</pre>
</blockquote>
<br>
For replication over SSH I had to add the following module:<br>
<br>
<pre>module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#============= dovecot_t ==============
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
</pre>
<br>
ssh_exec_t to allow Dovecot to use ssh executable in the first
place and ssh_home_t:dir + ssh_home_t:file for it to be able to
read known_hosts from /root/.ssh<br>
<br>
Reio<br>
</blockquote>
<br>
To cut down on selinux exceptions I put the destination host in
/etc/ssh/ssh_known_hosts and dovecot successfully replicates,
however I get the following log entry for every replicator action:<br>
<br>
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create
directory '/root/.ssh'.<br>
<br>
Replication is set up with the user vmail (/home/vmail and SSH key
in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to
read the key is:<br>
<br>
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read
};<br>
<br>
Is there a way I can change from root to vmail user for creating the
SSH connection?<br>
<br>
Doveconf below:<br>
<br>
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf<br>
# Pigeonhole version 0.5.7.1 (db5c74be)<br>
# OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core)<br>
# Hostname: turin.mrstuudio.ee<br>
doveadm_api_key = # hidden, use -P to show it<br>
dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login}
%{host} doveadm dsync-server -u %u<br>
mail_gid = vmail<br>
mail_home = /home/vmail/%d/%n<br>
mail_location = maildir:~/Maildir<br>
mail_log_prefix = "%s(%u): "<br>
mail_plugins = quota notify replication<br>
mail_uid = vmail<br>
mbox_write_locks = fcntl<br>
namespace inbox {<br>
inbox = yes<br>
location =<br>
mailbox "Deleted Messages" {<br>
auto = no<br>
special_use = \Trash<br>
}<br>
mailbox Drafts {<br>
auto = subscribe<br>
special_use = \Drafts<br>
}<br>
mailbox Junk {<br>
auto = no<br>
special_use = \Junk<br>
}<br>
mailbox Sent {<br>
auto = subscribe<br>
special_use = \Sent<br>
}<br>
mailbox "Sent Messages" {<br>
auto = no<br>
special_use = \Sent<br>
}<br>
mailbox Spam {<br>
auto = subscribe<br>
special_use = \Junk<br>
}<br>
mailbox Trash {<br>
auto = subscribe<br>
special_use = \Trash<br>
}<br>
prefix = INBOX.<br>
separator = .<br>
type = private<br>
}<br>
passdb {<br>
args = /etc/dovecot/dovecot-sql.conf.ext<br>
driver = sql<br>
}<br>
plugin {<br>
mail_replica = remote:vmail@replica<br>
}<br>
protocols = imap lmtp<br>
service aggregator {<br>
fifo_listener replication-notify-fifo {<br>
user = vmail<br>
}<br>
unix_listener replication-notify {<br>
user = vmail<br>
}<br>
}<br>
service doveadm {<br>
inet_listener http {<br>
address = localhost<br>
port = 8080<br>
}<br>
}<br>
service imap-login {<br>
inet_listener imap {<br>
port = 0<br>
}<br>
inet_listener imaps {<br>
port = 993<br>
ssl = yes<br>
}<br>
}<br>
service lmtp {<br>
executable = lmtp -L<br>
}<br>
service replicator {<br>
process_min_avail = 1<br>
unix_listener replicator-doveadm {<br>
mode = 0600<br>
user = vmail<br>
}<br>
}<br>
service stats {<br>
unix_listener stats-writer {<br>
mode = 0666<br>
}<br>
}<br>
userdb {<br>
args = /etc/dovecot/dovecot-sql.conf.ext<br>
default_fields = uid=vmail gid=vmail<br>
driver = sql<br>
}<br>
protocol lmtp {<br>
mail_plugins = quota notify replication<br>
}<br>
protocol imap {<br>
imap_capability = +SPECIAL-USE<br>
imap_metadata = yes<br>
mail_max_userip_connections = 50<br>
mail_plugins = quota notify replication imap_quota<br>
namespace inbox {<br>
location =<br>
mailbox Ham {<br>
autoexpunge = 365 days<br>
}<br>
mailbox Spam {<br>
autoexpunge = 365 days<br>
}<br>
mailbox Trash {<br>
autoexpunge = 180 days<br>
}<br>
prefix =<br>
}<br>
}<br>
<br>
Thanks!<br>
Reio<br>
</body>
</html>