I'm preparing a migration of several mailboxes to another machine. The different useraccounts are distributed to different backend machines by means of a dovecot LMTP/IMAP/POP proxy. Proxying is working really well (now that the kernel does as it should). But how can I "lock" a user during migration? The plan is: =========== * lock the user * kick the user (doveadm kick) * migrate mailbox (some rsync magic) * unlock the user again But how would I lock the user? What locking needs to achieve: 1) Disallow IMAP/POP login (that's easy!) 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) Because currently, we're seeing dovecot trying local delivery on the proxy machine once an account is locked (probably because LMTP proxying uses passdb lookups, and since that one is failing it's using the userdb lookup?): Oct 21 20:15:27 lmtp(87892): Error: user sys4 at test.invalid: Initialization failed: Namespace '': mkdir(/var/mail/test.invalid/sys4/mdbox/mailboxes) failed: Permission denied (euid=10000(vmail) egid=10000(vmail) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) Admittedly, this is somehow working. But it's not very elegant to use a side-effect. Is the a reserved userdb/passwd return value which will let dovecot "tempfail" in a n elegant fashion? -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
* Ralf Hildebrandt <r at sys4.de>:> 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)I could of course put a mysql: query into postfix which would return user at domain retry: for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 21 Oct 2014, at 11:27, Ralf Hildebrandt <r at sys4.de> wrote:> But how can I "lock" a user during migration? > > The plan is: > ===========> > * lock the user > * kick the user (doveadm kick) > * migrate mailbox (some rsync magic) > * unlock the user againAlternative is to use "doveadm sync" and you don't necessarily even need to lock anything at all.> But how would I lock the user? > > What locking needs to achieve: > > 1) Disallow IMAP/POP login (that's easy!)Yeah, many ways.> 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)- LMTP proxy does a passdb lookup. I'm not sure if there's any good way to fail in here. I was planning to suggest allow_nets=0.0.0.0/32 but looks like LMTP proxying just ignores that. Fixed now: http://hg.dovecot.org/dovecot-2.2/rev/3a8b417b0b80 - LMTP backend does a userdb lookup. Userdb lookup can return either "user doesn't exist" or "temporary failure". Nothing else. You can have it return a temporary failure by having it return "tempfail" extra field.
Maybe Matching Threads
- LMTP proxying
- LMTP error: Too many concurrent deliveries for user (in reply to end of DATA command)
- Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
- Proxy problem: "[COMPRESSIONACTIVE] TLS compression already enabled"
- doveadm -A operations failing due to broken mdbox