Re: [Dovecot] replication howto
Hi, i've a simple question, what do you mean for dovecot director setup? 'i've a doubt. The solution that i'm testing is using 3 mail server in different geoghrapic locations. An user can travel in varius location, and i want his imap mail reside on mail server in every locations. Sò i use you solution about replication. First server (by dns record) that receive mail sync it on the other servers, and when user consult is mail by imap protocol everything is sync on all servers. Do you suggest to use a horizontal structure for it like i explain or is better to have a single node external mail server and customer locations server like slave? Thank's Il 19 marzo 2012 09:35, Michael Grimm trash...@odo.in-berlin.de ha scritto: Hi -- On 15.03.2012 22:05, Timo Sirainen wrote: On 15.3.2012, at 22.48, Michael Grimm wrote: Actually it's a bad idea to use root for ssh from a security point of view. A hacked root account isn't fun. Thus, normally one needs to explicitly change the config of the sshd daemon to allow root logins (at least with FreeBSD what I'm using). Thus, I do recommend to use an unprivileged user like vmail. Then again it's safer to use system user accounts than a single vmail account that has access to everyone's emails. Root has access to everyone's mail as well. And if you allow ssh login only with public key authentication I don't think there are much security issues. And finally, it would be possible to write a small wrapper that allows the root's public key auth to only execute dsync-user.sh script that can't do anything except sync a specified user's mails. All those safety measures can be applied for the vmail user as well. Actually, that's what I did in my case, plus allowing ssh only between both mail servers (firewall rule). Regards, Michael -- Rispetta l'ambiente: se non ti è necessario, non stampare questa mail. ** Ing. Matteo Cazzador Email: mcazza...@gmail.com **
Re: [Dovecot] replication howto
Hi, thank's everybody, today afternoon i apply the suggest
and i test solution.
I post the actual configuration that i will test:
vmail users is present too, i create ssh-keygen for users vmail and
relative home directory
and permit ssh with no password with user vmail on two servers. Then i
use the configuration below
i leave comment the line below or i need to active it excuse but i
don't understand clear cause my terrible english?
#dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
-l%{lock_timeout} -n%{namespace}
and apply this on two servers
service doveadm {
# if you're using a single virtual user, set this to start ssh as vmail
# (not root)
#
user = vmail
}
service config {
# needed to grant access to /var/run/dovecot/config for service doveadm
#
unix_listener config {
user = vmail
}
}
Thank's everyboy
Il 15 marzo 2012 22:55, Timo Sirainen t...@iki.fi ha scritto:
Plus the scripts that
1) when calling ssh dsync first writes the username to stdout (before dsync
starts communicating)
and
2) dsync.sh on remote first reads the username from stdin, before execing
dsync itself
Because it's not possible to give -u $username parameter in the
authorized_keys cmd itself. That's the only changing parameter that is needed.
On 15.3.2012, at 23.49, David Ford wrote:
in ~privilgeduser/.ssh/authorized keys:
from=list of hosts key is valid for cmd=dsync.sh pubkey...
On 03/15/2012 05:05 PM, Timo Sirainen wrote:
Then again it's safer to use system user accounts than a single vmail
account that has access to everyone's emails. And if you allow ssh login
only with public key authentication I don't think there are much security
issues. And finally, it would be possible to write a small wrapper that
allows the root's public key auth to only execute dsync-user.sh script that
can't do anything except sync a specified user's mails.
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
Re: [Dovecot] replication howto
Hi, with this changes first step is passed:
I decomment this
#dsync_remote_cmd = ssh -p 22 -l%{login} %{host} doveadm dsync-server
-u%u -l%{lock_timeout} -n%{namespace}
i active and add absolute path of doveadm
dsync_remote_cmd = ssh -p 22 -l%{login} %{host} /usr/local/bin/doveadm
dsync-server -u%u -l%{lock_timeout} -n%{namespace}
But now from server 1 obtain
Error: remote: dsync-remote(matteo@netlite.locale): Error: User has no
home directory
Note: if i send a mail from server2 mail goes correcly in local
(server 2) home virtual directory
I note that when i launch manually from server1 sync, mysql on server
2 make correct sql to find home user dir
On server 2
SELECT maildir, 1000 AS uid, 1000 AS gid,
'/home/domini-posta/netlite.locale/matteo' as mail FROM mailbox WHERE
username = 'matteo@netlite.locale'
result are:
++--+--+--+
| maildir| uid | gid | mail
|
++--+--+--+
| netlite.locale/matteo/ | 1000 | 1000 |
/home/domini-posta/netlite.locale/matteo |
++--+--+--+
this configuration is teh same for server 1 and 2
thank's
Il 16 marzo 2012 13:12, Matteo Cazzador mcazza...@gmail.com ha scritto:
Hi, i obtain the same error
Mar 16 13:02:01 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: remote: bash: doveadm:
command not found
Mar 16 13:02:01 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: read() from worker server
failed: EOF
i've create vmail users (i've virtual domain netlite.locale (postfix),
mysql backend i receive ana send mail correctly i use imap protocol),
get ssh connection with publick key,
i verify that with su - vmail , vmail find doveadm, i post my
dovecot.conf file because i don't know what is wrong
vmail exist on every server with publick key
(server one = 10.0.0.118
server two = 10.0.0.122)
dovecot.conf -
#dsync_remote_cmd = ssh -p 22 -l%{login} %{host} doveadm dsync-server
-u%u -l%{lock_timeout} -n%{namespace}
service aggregator {
# give enough permissions for mail processes
#
fifo_listener replication-notify-fifo {
user = vmail
mode = 0600
}
unix_listener replication-notify {
user = vmail
mode = 0600
}
}
service replicator {
# start replication at startup
#
process_min_avail = 1
}
service doveadm {
# if you're using a single virtual user, set this to start ssh as vmail
# (not root)
user = vmail
}
service config {
# needed to grant access to /var/run/dovecot/config for service doveadm
unix_listener config {
user = vmail
}
}
plugin {
# this host replicates to remote host
#
mail_replica = remote:vmail@10.0.0.122
# run full synchronization mode every other hour
# (default is every 24 hours)
#
replication_full_sync_interval = 1 hour
}
idem on the server 2 changing mail_replica = remote:vmail@10.0.0.118
thank's
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
Re: [Dovecot] replication howto
Hi,
Solved!
i add at my sql
SELECT maildir, 1000 AS uid, 1000 AS gid,
'/home/domini-posta/netlite.locale/matteo' as mail,
'/home/domini-posta/netlite.locale/matteo' as home FROM mailbox WHERE
username = 'matteo@netlite.locale'
Now i've see first replication going!!! thank's everybody
I hope my test help someone.
Now i proceedd at use the replication system.
Il 16 marzo 2012 14:02, Matteo Cazzador mcazza...@gmail.com ha scritto:
Hi, with this changes first step is passed:
I decomment this
#dsync_remote_cmd = ssh -p 22 -l%{login} %{host} doveadm dsync-server
-u%u -l%{lock_timeout} -n%{namespace}
i active and add absolute path of doveadm
dsync_remote_cmd = ssh -p 22 -l%{login} %{host} /usr/local/bin/doveadm
dsync-server -u%u -l%{lock_timeout} -n%{namespace}
But now from server 1 obtain
Error: remote: dsync-remote(matteo@netlite.locale): Error: User has no
home directory
Note: if i send a mail from server2 mail goes correcly in local
(server 2) home virtual directory
I note that when i launch manually from server1 sync, mysql on server
2 make correct sql to find home user dir
On server 2
SELECT maildir, 1000 AS uid, 1000 AS gid,
'/home/domini-posta/netlite.locale/matteo' as mail FROM mailbox WHERE
username = 'matteo@netlite.locale'
result are:
++--+--+--+
| maildir | uid | gid | mail
|
++--+--+--+
| netlite.locale/matteo/ | 1000 | 1000 |
/home/domini-posta/netlite.locale/matteo |
++--+--+--+
this configuration is teh same for server 1 and 2
thank's
Il 16 marzo 2012 13:12, Matteo Cazzador mcazza...@gmail.com ha scritto:
Hi, i obtain the same error
Mar 16 13:02:01 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: remote: bash: doveadm:
command not found
Mar 16 13:02:01 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: read() from worker server
failed: EOF
i've create vmail users (i've virtual domain netlite.locale (postfix),
mysql backend i receive ana send mail correctly i use imap protocol),
get ssh connection with publick key,
i verify that with su - vmail , vmail find doveadm, i post my
dovecot.conf file because i don't know what is wrong
vmail exist on every server with publick key
(server one = 10.0.0.118
server two = 10.0.0.122)
dovecot.conf -
#dsync_remote_cmd = ssh -p 22 -l%{login} %{host} doveadm dsync-server
-u%u -l%{lock_timeout} -n%{namespace}
service aggregator {
# give enough permissions for mail processes
#
fifo_listener replication-notify-fifo {
user = vmail
mode = 0600
}
unix_listener replication-notify {
user = vmail
mode = 0600
}
}
service replicator {
# start replication at startup
#
process_min_avail = 1
}
service doveadm {
# if you're using a single virtual user, set this to start ssh as vmail
# (not root)
user = vmail
}
service config {
# needed to grant access to /var/run/dovecot/config for service doveadm
unix_listener config {
user = vmail
}
}
plugin {
# this host replicates to remote host
#
mail_replica = remote:vmail@10.0.0.122
# run full synchronization mode every other hour
# (default is every 24 hours)
#
replication_full_sync_interval = 1 hour
}
idem on the server 2 changing mail_replica = remote:vmail@10.0.0.118
thank's
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
[Dovecot] replication howto
Hello, excuse me but there is some documentation about replication now?
I dont' understand where i must put the lines below (dovecot.conf? , 20-imap?)
Excuse but it's not so clear for me cause i'm a new dovecot user.
Another question, i use virtual users on mysql backend , so for
replication i need to give ssh at every virtual users?
Or i can use a only use a system ssh user?
Thank's
service aggregator {
# give enough permissions for mail processes
fifo_listener replication-notify-fifo {
user = vmail
mode = 0600
}
unix_listener replication-notify {
user = vmail
mode = 0600
}
}
service replicator {
# start replication at startup
process_min_avail = 1
}
plugin {
# host1 replicates to host2
mail_replica = remote:vmail at host2.example.com
# host2 replicates to host1
#mail_replica = remote:vmail at host1.example.com
}
#dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
-l%{lock_timeout} -n%{namespace}
service doveadm {
# if you're using a single virtual user, set this to
# start ssh as vmail (not root)
user = vmail
}
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
Re: [Dovecot] replication howto
Hi, thank's a lot! for your detailed answer.
About ssh (excuse for my english) i think you correctly understand
what is my problem
with virtual user (i have no system user ) and there are not ssh
account. So i must use a dedicate account for replication (ssh)
that must act sync for all virtual mail account.
Thank' s i try you suggest now!
Il 15 marzo 2012 18:09, Michael Grimm trash...@odo.in-berlin.de ha scritto:
Hi --
On 15.03.2012, at 17:42, Matteo Cazzador wrote:
Hello, excuse me but there is some documentation about replication now?
Not that I'm aware of.
I dont' understand where i must put the lines below (dovecot.conf? ,
20-imap?)
You can put them wherever you wish, as long as you include that part
of your configuration. Myself, I'm still using a single dovecot.conf,
only.
Another question, i use virtual users on mysql backend , so for
replication i need to give ssh at every virtual users?
Or i can use a only use a system ssh user?
If I'm not mistaken, you can use a single ssh user, and you could use
the vmail user for instance. That's what I do, and I'm using sqlite for
userdb.
Here's my configuration:
---
If you choose to run ssh on a different port from the default one, you need:
## ssh command line used in dsync replication (ssh port added)
#
dsync_remote_cmd = ssh -p 1234 -l%{login} %{host} doveadm dsync-server -u%u
-l%{lock_timeout} -n%{namespace}
If not, you can start here:
## --- DSYNC REPLICATION
#
# aggregator, replicator, doveadm, and config needed, and
# dsync_remote_cmd if running ssh via non-default port
#
service aggregator {
# give enough permissions for mail processes
#
fifo_listener replication-notify-fifo {
user = vmail
mode = 0600
}
unix_listener replication-notify {
user = vmail
mode = 0600
}
}
service replicator {
# start replication at startup
#
process_min_avail = 1
}
service doveadm {
# if you're using a single virtual user, set this to start ssh as vmail
# (not root)
#
user = vmail
}
service config {
# needed to grant access to /var/run/dovecot/config for service doveadm
#
unix_listener config {
user = vmail
}
}
The following part is for server 1, only:
## --- PLUGINS
#
# dsync replication plugin
#
plugin {
# this host replicates to remote host
#
mail_replica = remote:vmail@server2.domain
# run full synchronization mode every other hour
# (default is every 24 hours)
#
replication_full_sync_interval = 1 hours
}
The following part is for server 2, only:
## --- PLUGINS
#
# dsync replication plugin
#
plugin {
# this host replicates to remote host
#
mail_replica = remote:vmail@server1.domain
# run full synchronization mode every other hour
# (default is every 24 hours)
#
replication_full_sync_interval = 1 hours
}
HTH,
Michael
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
Re: [Dovecot] replication howto
Hi, yes it'a good idea but i'm using now root i hope this not invalid all
I obtain this error but maybe i need some pause
Mar 15 18:55:28 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: remote: bash: doveadm:
command not found
Mar 15 18:55:28 Gentoo_cyrus_imap dovecot:
dsync-local(matteo@netlite.locale): Error: read() from worker server
failed: EOF
Thank's a lot!
Il 15 marzo 2012 18:28, Michael Grimm trash...@odo.in-berlin.de ha scritto:
Hi --
On 15.03.2012, at 18:16, Matteo Cazzador wrote:
with virtual user (i have no system user ) and there are not ssh
account. So i must use a dedicate account for replication (ssh)
that must act sync for all virtual mail account.
Yes, that's what I use. I did create a dedicated account for vmail
with all the necessary ssh stuff in ~vmail/.ssh
One remark I forgot to mention in my last mail:
service doveadm {
# if you're using a single virtual user, set this to start ssh as
vmail
# (not root)
#
user = vmail
}
This part is only needed, if you choose to run device doveadm as user
vmail like I do.
service config {
# needed to grant access to /var/run/dovecot/config for service
doveadm
#
unix_listener config {
user = vmail
}
}
Regards,
Michael
--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
**
Ing. Matteo Cazzador
Email: mcazza...@gmail.com
**
[Dovecot] dovecot imap cluster
Hello, i'm using postfix like smtp server, i need to choose an imap server with a special features. I have a customer with 3 different geographic locations. Every locations have a mail server for the same domain (example.com). If us...@example.com receive mail form external this mail going on every locations server. I've a problem now, is it possible to syncronize the state (mail flag) of user1 imap folder mails on every mail locations server? Example, if user1 read a mail on server one is it possible to change flag of the same mail file on server 2 and server 3? Is it possible to use dsync for it? I need something like imap cluster. Or an action in post processing imap mail read. I can't use distribuited file system. Thank's a lot -- Rispetta l'ambiente: se non ti è necessario, non stampare questa mail. ** Ing. Matteo Cazzador Email: mcazza...@gmail.com **
