-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 30 Jul 2014, Jogi Hofm?ller wrote:>> Or better - disable LMTP service in Dovecot. Incoming mail will stay on >> your MTA and when you're done, you just tell it to deliver everything >> that piled up in the queue in the meantime > > Better but still not perfect ;) We have users that work late and I am > sure they would complain when they don't receive email during migration > nights. > > Still thinking ...In your original post you've wrote "While migrating a mailbox". So you migrate one user after another. Also, if you want to disable LMTP for that user, you want to disable IMAP and POP3, too, for the very same reason -> or at least put them in read-only mode. 1) So, IMHO, your goal is to make the mail storage of one user read-only. Experiment with ACLs. Make all the mailboxes of the user read-only. After migration remove the ACLs. 2) Make the mail storage inaccessable during backup for just one user: How about adding another userdb { driver = passwd-file args = /.../%s/file } as the first one, which disables the access to the one user's mail storage currently migrated. %s would be lmtp, imap, pop3 and doveadm, IMHO. Make sure, doveadm sees no user in this userdb, but the others do, e.g. symlink the appropriate files and keep /.../doveadm/file zero-length, in order to fall back to LDAP always. In short: doveadm must know the real path, all other services a faked one. The migration of one user would be: put user in /.../{imap,pop3,lmtp}/file # or overwrite file with user doveadm auth cache flush # make sure, user info is not cached already migrate remove user from /.../file a) Besides the %s-way, there must be a way to have doveadm override the settings in: userdb { driver = passwd-file args = /.../file } in the line of: doveadm -o userdb[*]/args=/dev/null .... [*] IMHO you can specify which userdb section is meant by a number or something like that. b) Instead of to put/remove the user, you can overwrite the file, if there is just one user, and remove the file at the very end. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9nkkHz1H7kL/d9rAQJ+VQf+Ns/nm/T95z0iq+LC7YlYZTZi7JShHLhh DOAfLZ/DEl2ca1S7ed3SzdHYJu6JLZyU6U//BcRzCCtjmrgHMURNPSlpzFDHKi0O 2kRstMoj0DfMb7r9YO1YG4EQkhWpkkie2ORtN0pubAowcucpwieOPnEcDDipp+Wo lDlxzZ1gTP+hInYGQLvB8cWF8QN2MuwNuUPXBCq3AUrOAoSRh91ALWbEJJ4TXqZE Y3SbGkkZF5cEPqtMULAm+kEd7bKjty0Drsa52LSdlcrQvje+QZmqfe6t3E60tz/I GrNzi2EPMbw5iJqHeYVupqPJWslopxDIZdSP5kboX1eNeaoEJFUGMw==N8uo -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 31 Jul 2014, Steffen Kaiser wrote:> On Wed, 30 Jul 2014, Jogi Hofm?ller wrote: > >>> Or better - disable LMTP service in Dovecot. Incoming mail will stay on >>> your MTA and when you're done, you just tell it to deliver everything >>> that piled up in the queue in the meantime >> >> Better but still not perfect ;) We have users that work late and I am >> sure they would complain when they don't receive email during migration >> nights. >> >> Still thinking ... > > In your original post you've wrote "While migrating a mailbox". So you > migrate one user after another. Also, if you want to disable LMTP for that > user, you want to disable IMAP and POP3, too, for the very same reason -> > or at least put them in read-only mode. > > 1) So, IMHO, your goal is to make the mail storage of one user read-only. > Experiment with ACLs. Make all the mailboxes of the user read-only. After > migration remove the ACLs. > > 2) Make the mail storage inaccessable during backup for just one user: > > How about adding another userdb { driver = passwd-file args = /.../%s/file > } as the first one, which disables the access to the one user's mail > storage currently migrated. %s would be lmtp, imap, pop3 and doveadm, > IMHO. Make sure, doveadm sees no user in this userdb, but the others do, > e.g. symlink the appropriate files and keep /.../doveadm/file > zero-length, in order to fall back to LDAP always. > > In short: doveadm must know the real path, all other services a faked one. > > The migration of one user would be: > put user in /.../{imap,pop3,lmtp}/file # or overwrite file with user > doveadm auth cache flush # make sure, user info is not cached already > migrate > remove user from /.../file > > a) > Besides the %s-way, there must be a way to have doveadm override the > settings in: > > userdb { > driver = passwd-file > args = /.../file > } > > in the line of: > doveadm -o userdb[*]/args=/dev/null .... > > [*] IMHO you can specify which userdb section is meant by a number or > something like that. > > b) > Instead of to put/remove the user, you can overwrite the file, if there is > just one user, and remove the file at the very end.Maybe, you need not no other userdb, but you can make use of %s in your LDAP userdb - filter, e.g. user_filter = (&(objectClass=posixAccount)(uid=%u)(!(deniedService=%Ls))) however, you must test, if Dovecot's auth caching does honor the different values of %s in this case. I mean, if doveadm queries the user data, the result will be cached, if the LMTP service queries next: does it get the result of doveadm or not. I suppose, this applies to both variants. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9nsCnz1H7kL/d9rAQIO9ggAuDB4ZlbD0kaZ6GmLILyHZZGCFX/+pldL sciBDsi4i+jzhx9b+QyRZQBafl4SsbzDa+8Aima40HqfE4ixKptx/3y1k0ftcP02 ZWgs6jj8pgkY5x1s/hhhDoE5RRE2wXwNJTd9O96XiaryFxhBgMDWy2qiiUXBVILt njB5udoU1WNH9TfdYPQVAHrC7YJbMAYzCb+7jM0HxFiwpwpiw9o59h7YwDx7D5/e 8hINfOTSWcU8tVBDNhjXRP3moawEGU2gkeBcA9ql6LCekLZm9f9mqZYrcbzdkWQJ kkJHTChZ+RP+Rgf6auP+rxzpnuvzk5+gSDBtJixvCPslji6thsW+Sg==Khy7 -----END PGP SIGNATURE-----
Dear Steffen, Finally managed to test your suggestions ... Am 2014-07-31 09:11, schrieb Steffen Kaiser:> On Thu, 31 Jul 2014, Steffen Kaiser wrote:>> How about adding another userdb { driver = passwd-file args >> /.../%s/file >> } as the first one, which disables the access to the one user's mail >> storage currently migrated. %s would be lmtp, imap, pop3 and doveadm, >> IMHO. Make sure, doveadm sees no user in this userdb, but the others do, >> e.g. symlink the appropriate files and keep /.../doveadm/file >> zero-length, in order to fall back to LDAP always.I tried that now and did not get any useful results; meaning that I did not manage to block a user from using any of the services. While imap acknowledges finding the user in said file, lmtp doesn't even bother to look there. Both services however continue to work. I tried various return values for the userdb lookup but lmtp just seems to ignore everything. imap can be disabled easily by means of a passdb that has deny = yes set. This is really starting to drive me mad ...>> a) >> Besides the %s-way, there must be a way to have doveadm override the >> settings in: > >> userdb { >> driver = passwd-file >> args = /.../file >> } > >> in the line of: >> doveadm -o userdb[*]/args=/dev/null ....Quite frankly I don't fully understand what you mean by this.> Maybe, you need not no other userdb, but you can make use of %s in your > LDAP userdb - filter, e.g. > > user_filter = (&(objectClass=posixAccount)(uid=%u)(!(deniedService=%Ls)))Didn't try that one since I figure if passwd-file does not work why should LDAP work? Thanks for your suggestions anyway :) Cheers, -- j.hofm?ller We are all idiots with deadlines. - Mike West -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20140827/0d8b8a4b/attachment.sig>