Re: Dovecot replication and userdb "noreplicate".

[Reio Remma via dovecot]

On 07/08/2019 09:29, Sami Ketola wrote:



On 6 Aug 2019, at 23.52, Reio Remma via dovecot  wrote:

service doveadm {
 user = vmail
}

This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)

I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open 
read }; for selinux, but there are no more errors in maillog and it can read 
both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or 
/etc/ssh/ssh_known_hosts).

There might be. What we usually is just allow dsync user to sudo doveadm 
dsync-server and then add sudo to dsync remote command.

Sami



Thanks! I'll keep it in mind in case I run into problems with doveadm as 
vmail. So far so good.


Thanks again!
Reio

Re: Dovecot replication and userdb "noreplicate".

[Sami Ketola via dovecot]

> On 6 Aug 2019, at 23.52, Reio Remma via dovecot  wrote:
> 
> service doveadm {
> user = vmail
> }
> 
> This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
> 
> I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open 
> read }; for selinux, but there are no more errors in maillog and it can read 
> both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or 
> /etc/ssh/ssh_known_hosts).

There might be. What we usually is just allow dsync user to sudo doveadm 
dsync-server and then add sudo to dsync remote command.

Sami

Re: Dovecot replication and userdb "noreplicate".

[Reio Remma via dovecot]

On 06.08.2019 23:17, Reio Remma via dovecot wrote:

On 24.06.2019 16:25, Reio Remma wrote:

On 24.06.2019 8:21, Aki Tuomi wrote:

On 22.6.2019 22.00, Reio Remma via dovecot wrote:

Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee

PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)

Dovecot under selinux works, as long as you do it the way the policy
writer intended, seehttps://linux.die.net/man/8/dovecot_selinux

Aki


For replication over SSH I had to add the following module:

module selinux-dovecot-replication-ssh 1.0;

require {
 type ssh_exec_t;
 type ssh_home_t;
 type dovecot_t;
 class file { open read execute execute_no_trans };
 class dir { getattr search };
}

#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };

ssh_exec_t to allow Dovecot to use ssh executable in the first place 
and ssh_home_t:dir + ssh_home_t:file for it to be able to read 
known_hosts from /root/.ssh


Reio


To cut down on selinux exceptions I put the destination host in 
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however 
I get the following log entry for every replicator action:


Aug  6 22:25:59 turin dovecot: doveadm: Error: Could not create 
directory '/root/.ssh'.


Replication is set up with the user vmail (/home/vmail and SSH key in 
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read 
the key is:


allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };

Is there a way I can change from root to vmail user for creating the 
SSH connection?


Doveconf below:

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf

service doveadm {
  inet_listener http {
    address = localhost
    port = 8080
  }
}


service doveadm {
    user = vmail
}

This seems to have fixed it. Here's hoping for no unforeseen 
side-effects. :)


I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans 
open read }; for selinux, but there are no more errors in maillog and it 
can read both the key and known_hosts (from either 
/home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).


Reio

Re: Dovecot replication and userdb "noreplicate".

[Reio Remma via dovecot]

On 24.06.2019 16:25, Reio Remma wrote:

On 24.06.2019 8:21, Aki Tuomi wrote:

On 22.6.2019 22.00, Reio Remma via dovecot wrote:

Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee

PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)

Dovecot under selinux works, as long as you do it the way the policy
writer intended, seehttps://linux.die.net/man/8/dovecot_selinux

Aki


For replication over SSH I had to add the following module:

module selinux-dovecot-replication-ssh 1.0;

require {
 type ssh_exec_t;
 type ssh_home_t;
 type dovecot_t;
 class file { open read execute execute_no_trans };
 class dir { getattr search };
}

#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };

ssh_exec_t to allow Dovecot to use ssh executable in the first place 
and ssh_home_t:dir + ssh_home_t:file for it to be able to read 
known_hosts from /root/.ssh


Reio


To cut down on selinux exceptions I put the destination host in 
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I 
get the following log entry for every replicator action:


Aug  6 22:25:59 turin dovecot: doveadm: Error: Could not create 
directory '/root/.ssh'.


Replication is set up with the user vmail (/home/vmail and SSH key in 
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read 
the key is:


allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };

Is there a way I can change from root to vmail user for creating the SSH 
connection?


Doveconf below:

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 
7.6.1810 (Core)

# Hostname: turin.mrstuudio.ee
doveadm_api_key = # hidden, use -P to show it
dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} 
doveadm dsync-server -u %u

mail_gid = vmail
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%u): "
mail_plugins = quota notify replication
mail_uid = vmail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox "Deleted Messages" {
    auto = no
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = no
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_replica = remote:vmail@replica
}
protocols = imap lmtp
service aggregator {
  fifo_listener replication-notify-fifo {
    user = vmail
  }
  unix_listener replication-notify {
    user = vmail
  }
}
service doveadm {
  inet_listener http {
    address = localhost
    port = 8080
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  executable = lmtp -L
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0600
    user = vmail
  }
}
service stats {
  unix_listener stats-writer {
    mode = 0666
  }
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  default_fields = uid=vmail gid=vmail
  driver = sql
}
protocol lmtp {
  mail_plugins = quota notify replication
}
protocol imap {
  imap_capability = +SPECIAL-USE
  imap_metadata = yes
  mail_max_userip_connections = 50
  mail_plugins = quota notify replication imap_quota
  namespace inbox {
    location =
    mailbox Ham {
  autoexpunge = 365 days
    }
    mailbox Spam {
  autoexpunge = 365 days
    }
    mailbox Trash {
  autoexpunge = 180 days
    }
    prefix =
  }
}

Thanks!
Reio

Re: Dovecot replication and userdb "noreplicate".

[Reio Remma via dovecot]

On 24.06.2019 8:21, Aki Tuomi wrote:

On 22.6.2019 22.00, Reio Remma via dovecot wrote:

Hello!

I finally took the time and spent two days to set up replication for
my server and now I have a question or two.

I initially set noreplicate userdb field to 1 for all but a test user,
but I could still see in the logs that all mailboxes were trying to
connect to the other server via SSH. Is that normal?

Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -u u...@host.ee

Then I ended up setting mail_replica in userdb for only my test user,
but I could still see in the logs that it was trying to sync the
others as well, despite mail_replica being 0 for the rest.

Jun 22 20:52:59 host dovecot: doveadm(u...@host.ee): Fatal: -N
parameter requires syncing with remote host

I also notice (and read from recent posts) that sieve script
replication doesn't work at all.

Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.

Thanks,
Reio
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)


Hi!

We are fixing this is 2.3.7, noreplicate works but causes errors. You
can try
https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you
are compiling yourself.

Dovecot under selinux works, as long as you do it the way the policy
writer intended, see https://linux.die.net/man/8/dovecot_selinux

Aki


For replication over SSH I had to add the following module:

module selinux-dovecot-replication-ssh 1.0;

require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}

#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };


ssh_exec_t to allow Dovecot to use ssh executable in the first place and 
ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts 
from /root/.ssh


Reio

Re: Dovecot replication and userdb "noreplicate".

[Aki Tuomi via dovecot]

On 22.6.2019 22.00, Reio Remma via dovecot wrote:
> Hello!
>
> I finally took the time and spent two days to set up replication for
> my server and now I have a question or two.
>
> I initially set noreplicate userdb field to 1 for all but a test user,
> but I could still see in the logs that all mailboxes were trying to
> connect to the other server via SSH. Is that normal?
>
> Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
> vmail backup.host.ee doveadm dsync-server -D -u u...@host.ee
>
> Then I ended up setting mail_replica in userdb for only my test user,
> but I could still see in the logs that it was trying to sync the
> others as well, despite mail_replica being 0 for the rest.
>
> Jun 22 20:52:59 host dovecot: doveadm(u...@host.ee): Fatal: -N
> parameter requires syncing with remote host
>
> I also notice (and read from recent posts) that sieve script
> replication doesn't work at all.
>
> Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
>
> Thanks,
> Reio
> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
> as usual. :)


Hi!

We are fixing this is 2.3.7, noreplicate works but causes errors. You
can try
https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you
are compiling yourself.

Dovecot under selinux works, as long as you do it the way the policy
writer intended, see https://linux.die.net/man/8/dovecot_selinux

Aki