* Timo Sirainen <tss at iki.fi> 2015.08.25 17:28:> >> ==> /var/log/dovecot/dovecot.log <=> >> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error: net_connect_unix(/var/run/dovecot/imap-hibernate) failed: Permission denied > >> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error: Couldn't hibernate imap client: Couldn't export state: Virtual mailboxes have no GUIDsThose are completely gone with the latest two commits. I was expecting the permission error to fire up. It seems a bit too quite. If it works would it spawn a hibernate-process? It looks so from the service section, but I don't see any "hibernate" processes active.> > 'chmod 666' mitigates the permission issue on the socket. However it seems to have other issues then: > > You can also change the unix_listener { user, group, mode } as needed for different services (imap, imap-hibernate). http://wiki2.dovecot.org/Services has some more info.$ doveconf -a | grep -A 20 'service imap-hibernate' service imap-hibernate { [?] unix_listener imap-hibernate { group = mode = 0600 user = } user = $default_internal_user The question is what user it should be - or what user it should match in case several users come into play. With the standard setting $default_internal_user as above it does not work out of the box (at least with my config). Regards Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150825/3d2bc444/attachment.sig>
> On 25 Aug 2015, at 20:55, Thomas Leuxner <tlx at leuxner.net> wrote: > > * Timo Sirainen <tss at iki.fi> 2015.08.25 17:28: > >>>> ==> /var/log/dovecot/dovecot.log <=>>>> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error: net_connect_unix(/var/run/dovecot/imap-hibernate) failed: Permission denied >>>> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error: Couldn't hibernate imap client: Couldn't export state: Virtual mailboxes have no GUIDs > > Those are completely gone with the latest two commits. I was expecting the permission error to fire up. It seems a bit too quite. If it works would it spawn a hibernate-process? It looks so from the service section, but I don't see any "hibernate" processes active.It no longer logs an error if the selected mailbox is virtual. It simply doesn't start up the hibernate process. If you set mail_debug=yes it'll log why it won't start the hibernation. Also just committed a change that logs the mailbox name.>>> 'chmod 666' mitigates the permission issue on the socket. However it seems to have other issues then: >> >> You can also change the unix_listener { user, group, mode } as needed for different services (imap, imap-hibernate). http://wiki2.dovecot.org/Services has some more info. > > $ doveconf -a | grep -A 20 'service imap-hibernate' > service imap-hibernate { > [?] > unix_listener imap-hibernate { > group = > mode = 0600 > user = > } > user = $default_internal_user > > The question is what user it should be - or what user it should match in case several users come into play. With the standard setting $default_internal_user as above it does not work out of the box (at least with my config).There's no good default setting here. It depends on your userdb settings and/or mail_uid setting. So for example if your imap processes are running as vmail user, you should set service imap-hibernate { unix_listener imap-hibernate { user = vmail } }. Then again if you are using system users (or otherwise multiple UIDs) it gets more difficult to implement this securely (mode=0666 works always, but security isn't too good). This same problem exists for various other parts of Dovecot, for example indexer-worker and dict services.
* Timo Sirainen <tss at iki.fi> 2015.08.25 22:21:> There's no good default setting here. It depends on your userdb settings and/or mail_uid setting. So for example if your imap processes are running as vmail user, you should set service imap-hibernate { unix_listener imap-hibernate { user = vmail } }. Then again if you are using system users (or otherwise multiple UIDs) it gets more difficult to implement this securely (mode=0666 works always, but security isn't too good). This same problem exists for various other parts of Dovecot, for example indexer-worker and dict services.I have it working (I guess) with these user settings (virtual users using 'vmail'): service imap-hibernate { unix_listener imap-hibernate { user = vmail } } I had to assign the imap-master socket the user the imap-hibernate process is using to avoid messages like this: Aug 25 23:16:02 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Error: net_connect_unix(/var/run/dovecot/imap-master) failed: Permission denied Aug 25 23:16:02 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Failed to connect to master socket in=126 out=944 hdr=0 body=0 del=0 exp=0 trash=0 service imap { unix_listener imap-master { user = dovecot } } With this I see messages like this in the logs: Aug 26 09:48:06 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Connection closed in=189 out=4252 hdr=0 body=0 del=0 exp=0 trash=0 Aug 26 12:20:29 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Connection closed in=109 out=4714 hdr=0 body=0 del=0 exp=0 trash=0 I'm a bit puzzled as to when hibernate actually kicks in because most of the time I see normal imap processes running without them being hibernated: $ ps aux | grep dovecot/imap dovenull 6791 0.0 0.0 18196 4772 ? S 06:39 0:00 dovecot/imap-login dovenull 7107 0.0 0.0 18196 4736 ? S 08:00 0:00 dovecot/imap-login dovenull 7112 0.0 0.0 18332 4492 ? S 08:00 0:00 dovecot/imap-login dovenull 7333 0.0 0.0 18332 4772 ? S 08:45 0:00 dovecot/imap-login dovenull 7675 0.0 0.0 18196 4628 ? S 10:13 0:00 dovecot/imap-login dovenull 7677 0.0 0.0 18332 4532 ? S 10:14 0:00 dovecot/imap-login dovenull 7821 0.0 0.0 18196 4532 ? S 10:44 0:00 dovecot/imap-login dovenull 8156 0.0 0.0 18196 4756 ? S 12:01 0:00 dovecot/imap-login vmail 8157 0.0 0.0 45624 9608 ? S 12:01 0:00 dovecot/imap dovenull 8158 0.0 0.0 18332 4628 ? S 12:01 0:00 dovecot/imap-login vmail 8159 0.0 0.0 44772 9256 ? S 12:01 0:00 dovecot/imap dovenull 8160 0.0 0.0 18196 4652 ? S 12:01 0:00 dovecot/imap-login vmail 8161 0.0 0.0 46072 9760 ? S 12:01 0:00 dovecot/imap dovenull 8162 0.0 0.0 18196 4548 ? S 12:01 0:00 dovecot/imap-login dovenull 8279 0.0 0.0 18332 4736 ? S 12:22 0:00 dovecot/imap-login vmail 8280 0.0 0.0 40712 5164 ? S 12:22 0:00 dovecot/imap dovenull 8341 0.0 0.0 18196 4740 ? S 12:25 0:00 dovecot/imap-login vmail 8344 0.0 0.0 46312 10568 ? S 12:25 0:00 dovecot/imap -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150826/3e187723/attachment.sig>