Re: Dovecot replication and userdb "noreplicate".
On 07/08/2019 09:29, Sami Ketola wrote: On 6 Aug 2019, at 23.52, Reio Remma via dovecot wrote: service doveadm { user = vmail } This seems to have fixed it. Here's hoping for no unforeseen side-effects. :) I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts). There might be. What we usually is just allow dsync user to sudo doveadm dsync-server and then add sudo to dsync remote command. Sami Thanks! I'll keep it in mind in case I run into problems with doveadm as vmail. So far so good. Thanks again! Reio
Re: Dovecot replication and userdb "noreplicate".
> On 6 Aug 2019, at 23.52, Reio Remma via dovecot wrote: > > service doveadm { > user = vmail > } > > This seems to have fixed it. Here's hoping for no unforeseen side-effects. :) > > I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open > read }; for selinux, but there are no more errors in maillog and it can read > both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or > /etc/ssh/ssh_known_hosts). There might be. What we usually is just allow dsync user to sudo doveadm dsync-server and then add sudo to dsync remote command. Sami
Re: Dovecot replication and userdb "noreplicate".
On 06.08.2019 23:17, Reio Remma via dovecot wrote: On 24.06.2019 16:25, Reio Remma wrote: On 24.06.2019 8:21, Aki Tuomi wrote: On 22.6.2019 22.00, Reio Remma via dovecot wrote: Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #= dovecot_t == allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh Reio To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action: Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'. Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is: allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; Is there a way I can change from root to vmail user for creating the SSH connection? Doveconf below: # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf service doveadm { inet_listener http { address = localhost port = 8080 } } service doveadm { user = vmail } This seems to have fixed it. Here's hoping for no unforeseen side-effects. :) I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts). Reio
Re: Dovecot replication and userdb "noreplicate".
On 24.06.2019 16:25, Reio Remma wrote: On 24.06.2019 8:21, Aki Tuomi wrote: On 22.6.2019 22.00, Reio Remma via dovecot wrote: Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #= dovecot_t == allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh Reio To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action: Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'. Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is: allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; Is there a way I can change from root to vmail user for creating the SSH connection? Doveconf below: # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: turin.mrstuudio.ee doveadm_api_key = # hidden, use -P to show it dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} doveadm dsync-server -u %u mail_gid = vmail mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir mail_log_prefix = "%s(%u): " mail_plugins = quota notify replication mail_uid = vmail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = no special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_replica = remote:vmail@replica } protocols = imap lmtp service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service doveadm { inet_listener http { address = localhost port = 8080 } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { executable = lmtp -L } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 user = vmail } } service stats { unix_listener stats-writer { mode = 0666 } } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vmail gid=vmail driver = sql } protocol lmtp { mail_plugins = quota notify replication } protocol imap { imap_capability = +SPECIAL-USE imap_metadata = yes mail_max_userip_connections = 50 mail_plugins = quota notify replication imap_quota namespace inbox { location = mailbox Ham { autoexpunge = 365 days } mailbox Spam { autoexpunge = 365 days } mailbox Trash { autoexpunge = 180 days } prefix = } } Thanks! Reio
Re: Dovecot replication and userdb "noreplicate".
On 24.06.2019 8:21, Aki Tuomi wrote: On 22.6.2019 22.00, Reio Remma via dovecot wrote: Hello! I finally took the time and spent two days to set up replication for my server and now I have a question or two. I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal? Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -u u...@host.ee Then I ended up setting mail_replica in userdb for only my test user, but I could still see in the logs that it was trying to sync the others as well, despite mail_replica being 0 for the rest. Jun 22 20:52:59 host dovecot: doveadm(u...@host.ee): Fatal: -N parameter requires syncing with remote host I also notice (and read from recent posts) that sieve script replication doesn't work at all. Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo. Thanks, Reio PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Hi! We are fixing this is 2.3.7, noreplicate works but causes errors. You can try https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you are compiling yourself. Dovecot under selinux works, as long as you do it the way the policy writer intended, see https://linux.die.net/man/8/dovecot_selinux Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #= dovecot_t == allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh Reio
Re: Dovecot replication and userdb "noreplicate".
On 22.6.2019 22.00, Reio Remma via dovecot wrote: > Hello! > > I finally took the time and spent two days to set up replication for > my server and now I have a question or two. > > I initially set noreplicate userdb field to 1 for all but a test user, > but I could still see in the logs that all mailboxes were trying to > connect to the other server via SSH. Is that normal? > > Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error: > Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l > vmail backup.host.ee doveadm dsync-server -D -u u...@host.ee > > Then I ended up setting mail_replica in userdb for only my test user, > but I could still see in the logs that it was trying to sync the > others as well, despite mail_replica being 0 for the rest. > > Jun 22 20:52:59 host dovecot: doveadm(u...@host.ee): Fatal: -N > parameter requires syncing with remote host > > I also notice (and read from recent posts) that sieve script > replication doesn't work at all. > > Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo. > > Thanks, > Reio > PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun > as usual. :) Hi! We are fixing this is 2.3.7, noreplicate works but causes errors. You can try https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you are compiling yourself. Dovecot under selinux works, as long as you do it the way the policy writer intended, see https://linux.die.net/man/8/dovecot_selinux Aki