Re: [EXT] doveadm backup from gmail with imapc
On Fri, 2020-04-10 at 15:13 +0300, Sami Ketola wrote: > > > > > On 10 Apr 2020, at 14.07, Ben Mulvihill > > wrote: > > > > > last answer from gmail: > > > > > 1586513176.126970 1944 OK Success > > last commands send by dovecot: > > > > > 1586513175.951965 1944 UID FETCH > > 99624,99627,99628,99629,99631,99632,99633,99634,99635,99636,99637,9 > > 9639 > > ,99640,99641,99642,99643,99644,99645,99646,99647,99648 (X-GM-MSGID) > > 1586513176.127109 1945 LIST "" "*" > > So gmail hangs and never gives response to the last LIST command. > > Fetcing X-GM-MSGID is related to POP3 UIDLs. If you don't care about > POP3 and gmail labels you can remove gmail-migration from > imapc_features. > > also you can try to set imapc_cmd_timeout to some low value like 10s > to make dovecot to reconnect in case gmail hangs. Default is to wait > for 5 mins. > > Sami > > Thanks again! I tried setting imapc_cmd_timeout = 10s and that was enough to take the download process past the ID stage and on to downloading messages. doveadm still failed the same ASSERT and core dumps, just not so soon. In four attempts I downloaded 4200, 1800, 0 and 4200 messages respectively. That was yesterday. I tried today and have successfully downloaded a further 2 messages without any core dumps. I ended up interrupting the process myself because I was concerned at exceeding my ISPs fair usage limits. But by repeating the command from time to time I should gradually be able to synchronise the whole mailbox. Ben
Re: Missing permissions
On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Looks like /home/mail as mail store isn't included in the default SELinux policy. Did you make sure that the correct SELinux type is set on the directories? https://www.unix.com/man-page/centos/8/dovecot_selinux/ If this isn't enough to get you going you might need to create your own policy. The following steps should be all that it takes to create your own policy. Check that grep includes only lines that you want included in your new policy: grep dovecot /var/log/audit/audit.log | audit2allow -w Create your new policy for Dovecot and install it: grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom semodule -i dovecot_custom.pp -- Alex JOST Or just label the directory with mail_home_rw_t --- Aki Tuomi
Re: Missing permissions
Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Looks like /home/mail as mail store isn't included in the default SELinux policy. Did you make sure that the correct SELinux type is set on the directories? https://www.unix.com/man-page/centos/8/dovecot_selinux/ If this isn't enough to get you going you might need to create your own policy. The following steps should be all that it takes to create your own policy. Check that grep includes only lines that you want included in your new policy: grep dovecot /var/log/audit/audit.log | audit2allow -w Create your new policy for Dovecot and install it: grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom semodule -i dovecot_custom.pp -- Alex JOST
Re: [EXT] doveadm backup from gmail with imapc
> On 11 Apr 2020, at 15.20, Ben Mulvihill wrote: > > I tried setting imapc_cmd_timeout = 10s and that was enough to take the > download process past the ID stage and on to downloading messages. > doveadm still failed the same ASSERT and core dumps, just not so soon. > In four attempts I downloaded 4200, 1800, 0 and 4200 > messages respectively. That was yesterday. I tried today and have > successfully downloaded a further 2 messages without any core > dumps. I ended up interrupting the process myself because I was > concerned at exceeding my ISPs fair usage limits. But by repeating > the command from time to time I should gradually be able to synchronise > the whole mailbox. Nice! Those assert crashes are probably a bug of somekind. Maybe Aki or Timo could take a look at them. Sami
Re: Missing permissions
Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2= a3=fcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.637:6736): proctitle="dovecot/imap" type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" subj=system_u:system_r:dovecot_t:s0 key=(null) type=PROCTITLE msg=audit(1586604621.638:6737): proctitle="dovecot/imap" I have SELinux enabled, on CentOS. If I run: audit2why < /var/log/audit/audit.log I get: type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. I think it's important to know that I'm trying to use dovecot with virtual users. If I try to configure it with PAM authentication using system users, it works well. Any suggestions on this? Mura Andrei On Sat, Apr 11, 2020 at 10:02 AM Andrei Petru Mura wrote: > I think I found here what I'm interested in: > https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/. > > On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura > wrote: > >> Hi Aki, >> >> Thanks. I was especially interested in documentation related to dovecot >> and it's users permissions, the way in which dovecot uses users. Till now I >> found only spread information on different articles from dovecot's website. >> >> Thanks, >> Mura Andrei >> >> On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi >> wrote: >> >>> Hi, >>> >>> >>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= >>> >>> although we probably need to add some words into doc.dovecot.org under >>> known issues. >>> >>> Aki >>> >>> > On 11/04/2020 09:24 Andrei Petru Mura wrote: >>> > >>> > >>> > Hi Aki, >>> > >>> > Any documentation on this topic? >>> > >>> > Mura Andrei >>> > >>> > >>> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi >>> wrote: >>> > > This is probably caused by systemd (or selinux or both). >>> > > >>> > > With systemd, you need to add >>> > > >>> > > ReadWritePaths=/home/mail >>> > > >>> > > to the systemd unit. >>> > > >>> > > Then you can check /var/log/audit/audit.log for any selinux >>> specific problems. If you are using Centos/Redhat. >>> > > >>> > > Aki >>> > > >>> > > > On 06/04/2020 17:01 Andrei Petru Mura >>> wrote: >>> > > > >>> > > > >>> > > > Hi, >>> > > > >>> > > > Dovecot version 2.2.36 >>> > > > In log files I get this error: >>> > > > dovecot: imap(test): Namespace '': >>> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied >>> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX >>> perms appear ok (ACL/MAC wrong?)) >>> > > > >>> > > > My authentication configuration is this: >>> > > > passdb { >>> > > > driver = passwd-file >>> > > > args = username_format=%n /etc/dovecot/users >>> > > > } >>> > > > >>> > > > userdb { >>> > > > driver = static >>> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n >>> username_format=%n /etc/dovecot/users >>> > > > >>> > > > } >>> > > > >>> > > > /home/mail/domain/test directory is owned by vmail user. >>> > > > How to fix this? >>> > > > >>> > > > Mura Andrei >>> > > >>> >>
Re: Missing permissions
I think I found here what I'm interested in: https://doc.dovecot.org/admin_manual/system_users_used_by_dovecot/. On Sat, Apr 11, 2020 at 9:52 AM Andrei Petru Mura wrote: > Hi Aki, > > Thanks. I was especially interested in documentation related to dovecot > and it's users permissions, the way in which dovecot uses users. Till now I > found only spread information on different articles from dovecot's website. > > Thanks, > Mura Andrei > > On Sat, Apr 11, 2020 at 9:49 AM Aki Tuomi > wrote: > >> Hi, >> >> >> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= >> >> although we probably need to add some words into doc.dovecot.org under >> known issues. >> >> Aki >> >> > On 11/04/2020 09:24 Andrei Petru Mura wrote: >> > >> > >> > Hi Aki, >> > >> > Any documentation on this topic? >> > >> > Mura Andrei >> > >> > >> > On Mon, Apr 6, 2020 at 5:27 PM Aki Tuomi >> wrote: >> > > This is probably caused by systemd (or selinux or both). >> > > >> > > With systemd, you need to add >> > > >> > > ReadWritePaths=/home/mail >> > > >> > > to the systemd unit. >> > > >> > > Then you can check /var/log/audit/audit.log for any selinux specific >> problems. If you are using Centos/Redhat. >> > > >> > > Aki >> > > >> > > > On 06/04/2020 17:01 Andrei Petru Mura wrote: >> > > > >> > > > >> > > > Hi, >> > > > >> > > > Dovecot version 2.2.36 >> > > > In log files I get this error: >> > > > dovecot: imap(test): Namespace '': >> mkdir(/home/mail/domain/test/Maildir) failed: Permission denied >> (euid=1005(vmail) egid=1005(vmail) missing +w perm: /home/mail/domain, UNIX >> perms appear ok (ACL/MAC wrong?)) >> > > > >> > > > My authentication configuration is this: >> > > > passdb { >> > > > driver = passwd-file >> > > > args = username_format=%n /etc/dovecot/users >> > > > } >> > > > >> > > > userdb { >> > > > driver = static >> > > > args = uid=vmail gid=vmail home=/home/mail/domain/%n >> username_format=%n /etc/dovecot/users >> > > > >> > > > } >> > > > >> > > > /home/mail/domain/test directory is owned by vmail user. >> > > > How to fix this? >> > > > >> > > > Mura Andrei >> > > >> >