Re: Properly locking a useraccount (on a proxy)

2014-10-24 Thread Timo Sirainen 
On 21 Oct 2014, at 11:27, Ralf Hildebrandt r...@sys4.de wrote:

 But how can I lock a user during migration?
 
 The plan is:
 
 
 * lock the user
 * kick the user (doveadm kick)
 * migrate mailbox (some rsync magic)
 * unlock the user again

Alternative is to use doveadm sync and you don't necessarily even need to 
lock anything at all.

 But how would I lock the user?
 
 What locking needs to achieve:
 
 1) Disallow IMAP/POP login (that's easy!)

Yeah, many ways.

 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)

 - LMTP proxy does a passdb lookup. I'm not sure if there's any good way to 
fail in here. I was planning to suggest allow_nets=0.0.0.0/32 but looks like 
LMTP proxying just ignores that. Fixed now: 
http://hg.dovecot.org/dovecot-2.2/rev/3a8b417b0b80

 - LMTP backend does a userdb lookup. Userdb lookup can return either user 
doesn't exist or temporary failure. Nothing else. You can have it return a 
temporary failure by having it return tempfail extra field.

Re: Properly locking a useraccount (on a proxy)

2014-10-22 Thread Ralf Hildebrandt 
* Benny Pedersen dovecot@dovecot.org:
 
 for the locked user. But I'm lazy and would prefer a single place /
 a single query to lock the account
 
 Setup postfix to check the recipient account is active, then set a
 temp new password while move mail to the new server, when its done
 change password back to user, and setup postfix to know its active
 again

See my lazy comment above. 

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Properly locking a useraccount (on a proxy)

2014-10-22 Thread Benny Pedersen 

On October 22, 2014 2:22:52 PM Ralf Hildebrandt r...@sys4.de wrote:


* Benny Pedersen dovecot@dovecot.org:


Not my domain :)


See my lazy comment above.


If active state 2, then update postfix maps to query this, with a key 
result of defer if permit :)


And dovecot auth to include active 1 or 2, then you manage the sql data in 
one place

Re: Properly locking a useraccount (on a proxy)

2014-10-21 Thread Ralf Hildebrandt 
* Ralf Hildebrandt r...@sys4.de:

 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)

I could of course put a mysql: query into postfix which would return 

user@domain retry:

for the locked user. But I'm lazy and would prefer a single place /
a single query to lock the account

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Properly locking a useraccount (on a proxy)

2014-10-21 Thread Urban Loesch 

Hi,

Am 21.10.2014 20:37, schrieb Ralf Hildebrandt:

* Ralf Hildebrandt r...@sys4.de:


2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)


I could of course put a mysql: query into postfix which would return

user@domain retry:

for the locked user. But I'm lazy and would prefer a single place /
a single query to lock the account



Why do you not put the mails on hold in some frontend postfix queue (i 
think you have) with a check_recipient_access table? We did that during 
our last migration from an old CGP system.


Ok, it's not the elegant way but for us it worked.

Re: Properly locking a useraccount (on a proxy)

2014-10-21 Thread Robert Schetterer 
Am 21.10.2014 um 20:37 schrieb Ralf Hildebrandt:
 * Ralf Hildebrandt r...@sys4.de:
 
 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
 
 I could of course put a mysql: query into postfix which would return 
 
 user@domain retry:
 
 for the locked user. But I'm lazy and would prefer a single place /
 a single query to lock the account
 

in sql postfixadmin schema there is an active flag 0 vs 1 per user

smtpd_recipient_restrictions = reject_unknown_recipient_domain,
   reject_non_fqdn_recipient,
   permit_mynetworks,
   check_recipient_access
mysql:/etc/postfix/mysql_virtual_inactive_mailaddress.cf

i use configured it as

query = SELECT CONCAT('REJECT mailaddress %s is set in inactive mode')
address FROM mailbox WHERE username='%s' AND active = '0'

you may use not REJECT but

http://www.postfix.org/access.5.html

421 text (Postfix 2.3 and later) which is tmp error

dovecot site may look like this

 /etc/dovecot/dovecot-sql.conf.ext

password_query = SELECT username as user, password, \
1001 as userdb_uid, \
1001 as userdb_gid, \
/usr/local/virtual/%d/%u/ AS userdb_home, \
maildir:/usr/local/virtual/%d/%u/ AS userdb_mail \
FROM mailbox WHERE username = '%u' AND active = '1'

but to be honest, its a long time ago i tested this feature, and in real
world nobody seems to use active settings

however perhaps you can adapt this idea to fit in your setup somehow


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Properly locking a useraccount (on a proxy)

2014-10-21 Thread Benny Pedersen 



for the locked user. But I'm lazy and would prefer a single place /
a single query to lock the account


Setup postfix to check the recipient account is active, then set a temp new 
password while move mail to the new server, when its done change password 
back to user, and setup postfix to know its active again