Re: Properly locking a useraccount (on a proxy)
On 21 Oct 2014, at 11:27, Ralf Hildebrandt r...@sys4.de wrote: But how can I lock a user during migration? The plan is: * lock the user * kick the user (doveadm kick) * migrate mailbox (some rsync magic) * unlock the user again Alternative is to use doveadm sync and you don't necessarily even need to lock anything at all. But how would I lock the user? What locking needs to achieve: 1) Disallow IMAP/POP login (that's easy!) Yeah, many ways. 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) - LMTP proxy does a passdb lookup. I'm not sure if there's any good way to fail in here. I was planning to suggest allow_nets=0.0.0.0/32 but looks like LMTP proxying just ignores that. Fixed now: http://hg.dovecot.org/dovecot-2.2/rev/3a8b417b0b80 - LMTP backend does a userdb lookup. Userdb lookup can return either user doesn't exist or temporary failure. Nothing else. You can have it return a temporary failure by having it return tempfail extra field.
Re: Properly locking a useraccount (on a proxy)
* Benny Pedersen dovecot@dovecot.org: for the locked user. But I'm lazy and would prefer a single place / a single query to lock the account Setup postfix to check the recipient account is active, then set a temp new password while move mail to the new server, when its done change password back to user, and setup postfix to know its active again See my lazy comment above. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Properly locking a useraccount (on a proxy)
On October 22, 2014 2:22:52 PM Ralf Hildebrandt r...@sys4.de wrote: * Benny Pedersen dovecot@dovecot.org: Not my domain :) See my lazy comment above. If active state 2, then update postfix maps to query this, with a key result of defer if permit :) And dovecot auth to include active 1 or 2, then you manage the sql data in one place
Re: Properly locking a useraccount (on a proxy)
* Ralf Hildebrandt r...@sys4.de: 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) I could of course put a mysql: query into postfix which would return user@domain retry: for the locked user. But I'm lazy and would prefer a single place / a single query to lock the account -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Properly locking a useraccount (on a proxy)
Hi, Am 21.10.2014 20:37, schrieb Ralf Hildebrandt: * Ralf Hildebrandt r...@sys4.de: 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) I could of course put a mysql: query into postfix which would return user@domain retry: for the locked user. But I'm lazy and would prefer a single place / a single query to lock the account Why do you not put the mails on hold in some frontend postfix queue (i think you have) with a check_recipient_access table? We did that during our last migration from an old CGP system. Ok, it's not the elegant way but for us it worked.
Re: Properly locking a useraccount (on a proxy)
Am 21.10.2014 um 20:37 schrieb Ralf Hildebrandt: * Ralf Hildebrandt r...@sys4.de: 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) I could of course put a mysql: query into postfix which would return user@domain retry: for the locked user. But I'm lazy and would prefer a single place / a single query to lock the account in sql postfixadmin schema there is an active flag 0 vs 1 per user smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, permit_mynetworks, check_recipient_access mysql:/etc/postfix/mysql_virtual_inactive_mailaddress.cf i use configured it as query = SELECT CONCAT('REJECT mailaddress %s is set in inactive mode') address FROM mailbox WHERE username='%s' AND active = '0' you may use not REJECT but http://www.postfix.org/access.5.html 421 text (Postfix 2.3 and later) which is tmp error dovecot site may look like this /etc/dovecot/dovecot-sql.conf.ext password_query = SELECT username as user, password, \ 1001 as userdb_uid, \ 1001 as userdb_gid, \ /usr/local/virtual/%d/%u/ AS userdb_home, \ maildir:/usr/local/virtual/%d/%u/ AS userdb_mail \ FROM mailbox WHERE username = '%u' AND active = '1' but to be honest, its a long time ago i tested this feature, and in real world nobody seems to use active settings however perhaps you can adapt this idea to fit in your setup somehow Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Properly locking a useraccount (on a proxy)
for the locked user. But I'm lazy and would prefer a single place / a single query to lock the account Setup postfix to check the recipient account is active, then set a temp new password while move mail to the new server, when its done change password back to user, and setup postfix to know its active again