On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
Dovecot under selinux works, as long as you do it the way the policy
writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#============= dovecot_t ==============
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place
and ssh_home_t:dir + ssh_home_t:file for it to be able to read
known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I
get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create
directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read
the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH
connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core)
# Hostname: turin.mrstuudio.ee
doveadm_api_key = # hidden, use -P to show it
dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host}
doveadm dsync-server -u %u
mail_gid = vmail
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%u): "
mail_plugins = quota notify replication
mail_uid = vmail
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
mail_replica = remote:vmail@replica
}
protocols = imap lmtp
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service doveadm {
inet_listener http {
address = localhost
port = 8080
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
executable = lmtp -L
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
user = vmail
}
}
service stats {
unix_listener stats-writer {
mode = 0666
}
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
default_fields = uid=vmail gid=vmail
driver = sql
}
protocol lmtp {
mail_plugins = quota notify replication
}
protocol imap {
imap_capability = +SPECIAL-USE
imap_metadata = yes
mail_max_userip_connections = 50
mail_plugins = quota notify replication imap_quota
namespace inbox {
location =
mailbox Ham {
autoexpunge = 365 days
}
mailbox Spam {
autoexpunge = 365 days
}
mailbox Trash {
autoexpunge = 180 days
}
prefix =
}
}
Thanks!
Reio