dovecot - Aug 2015 - IMAP hibernate feature committed

* Timo Sirainen <tss at iki.fi> 2015.08.25 17:28:
> >> ==> /var/log/dovecot/dovecot.log <=> >> Aug 25
09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error:
net_connect_unix(/var/run/dovecot/imap-hibernate) failed: Permission denied
> >> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error:
Couldn't hibernate imap client: Couldn't export state: Virtual mailboxes
have no GUIDs
Those are completely gone with the latest two commits. I was expecting the
permission error to fire up. It seems a bit too quite. If it works would it
spawn a hibernate-process? It looks so from the service section, but I don't
see any "hibernate" processes active.
> > 'chmod 666' mitigates the permission issue on the socket.
However it seems to have other issues then:
> 
> You can also change the unix_listener { user, group, mode } as needed for
different services (imap, imap-hibernate). http://wiki2.dovecot.org/Services has
some more info.
$ doveconf -a | grep -A 20 'service imap-hibernate'
service imap-hibernate {
  [?]
  unix_listener imap-hibernate {
    group = 
    mode = 0600
    user = 
  }
  user = $default_internal_user

The question is what user it should be - or what user it should match in case
several users come into play. With the standard setting $default_internal_user
as above it does not work out of the box (at least with my config).

Regards
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150825/3d2bc444/attachment.sig>

> On 25 Aug 2015, at 20:55, Thomas Leuxner <tlx at leuxner.net> wrote:
> 
> * Timo Sirainen <tss at iki.fi> 2015.08.25 17:28:
> 
>>>> ==> /var/log/dovecot/dovecot.log <=>>>> Aug
25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net): Error:
net_connect_unix(/var/run/dovecot/imap-hibernate) failed: Permission denied
>>>> Aug 25 09:42:07 nihlus dovecot: imap(tlx at leuxner.net):
Error: Couldn't hibernate imap client: Couldn't export state: Virtual
mailboxes have no GUIDs
> 
> Those are completely gone with the latest two commits. I was expecting the
permission error to fire up. It seems a bit too quite. If it works would it
spawn a hibernate-process? It looks so from the service section, but I don't
see any "hibernate" processes active.
It no longer logs an error if the selected mailbox is virtual. It simply
doesn't start up the hibernate process. If you set mail_debug=yes it'll
log why it won't start the hibernation. Also just committed a change that
logs the mailbox name.
>>> 'chmod 666' mitigates the permission issue on the socket.
However it seems to have other issues then:
>> 
>> You can also change the unix_listener { user, group, mode } as needed
for different services (imap, imap-hibernate). http://wiki2.dovecot.org/Services
has some more info.
> 
> $ doveconf -a | grep -A 20 'service imap-hibernate'
> service imap-hibernate {
>  [?]
>  unix_listener imap-hibernate {
>    group = 
>    mode = 0600
>    user = 
>  }
>  user = $default_internal_user
> 
> The question is what user it should be - or what user it should match in
case several users come into play. With the standard setting
$default_internal_user as above it does not work out of the box (at least with
my config).
There's no good default setting here. It depends on your userdb settings
and/or mail_uid setting. So for example if your imap processes are running as
vmail user, you should set service imap-hibernate { unix_listener imap-hibernate
{ user = vmail } }. Then again if you are using system users (or otherwise
multiple UIDs) it gets more difficult to implement this securely (mode=0666
works always, but security isn't too good). This same problem exists for
various other parts of Dovecot, for example indexer-worker and dict services.

* Timo Sirainen <tss at iki.fi> 2015.08.25 22:21:
> There's no good default setting here. It depends on your userdb
settings and/or mail_uid setting. So for example if your imap processes are
running as vmail user, you should set service imap-hibernate { unix_listener
imap-hibernate { user = vmail } }. Then again if you are using system users (or
otherwise multiple UIDs) it gets more difficult to implement this securely
(mode=0666 works always, but security isn't too good). This same problem
exists for various other parts of Dovecot, for example indexer-worker and dict
services.
I have it working (I guess) with these user settings (virtual users using
'vmail'):

service imap-hibernate {
  unix_listener imap-hibernate {
    user = vmail
  }
}

I had to assign the imap-master socket the user the imap-hibernate process is
using to avoid messages like this:

Aug 25 23:16:02 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Error:
net_connect_unix(/var/run/dovecot/imap-master) failed: Permission denied
Aug 25 23:16:02 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Failed to
connect to master socket in=126 out=944 hdr=0 body=0 del=0 exp=0 trash=0

service imap {
  unix_listener imap-master {
    user = dovecot
  }
}

With this I see messages like this in the logs:

Aug 26 09:48:06 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Connection
closed in=189 out=4252 hdr=0 body=0 del=0 exp=0 trash=0
Aug 26 12:20:29 nihlus dovecot: imap-hibernate(tlx at leuxner.net): Connection
closed in=109 out=4714 hdr=0 body=0 del=0 exp=0 trash=0

I'm a bit puzzled as to when hibernate actually kicks in because most of the
time I see normal imap processes running without them being hibernated:

$ ps aux | grep dovecot/imap
dovenull  6791  0.0  0.0  18196  4772 ?        S    06:39   0:00
dovecot/imap-login
dovenull  7107  0.0  0.0  18196  4736 ?        S    08:00   0:00
dovecot/imap-login
dovenull  7112  0.0  0.0  18332  4492 ?        S    08:00   0:00
dovecot/imap-login
dovenull  7333  0.0  0.0  18332  4772 ?        S    08:45   0:00
dovecot/imap-login
dovenull  7675  0.0  0.0  18196  4628 ?        S    10:13   0:00
dovecot/imap-login
dovenull  7677  0.0  0.0  18332  4532 ?        S    10:14   0:00
dovecot/imap-login
dovenull  7821  0.0  0.0  18196  4532 ?        S    10:44   0:00
dovecot/imap-login
dovenull  8156  0.0  0.0  18196  4756 ?        S    12:01   0:00
dovecot/imap-login
vmail     8157  0.0  0.0  45624  9608 ?        S    12:01   0:00 dovecot/imap
dovenull  8158  0.0  0.0  18332  4628 ?        S    12:01   0:00
dovecot/imap-login
vmail     8159  0.0  0.0  44772  9256 ?        S    12:01   0:00 dovecot/imap
dovenull  8160  0.0  0.0  18196  4652 ?        S    12:01   0:00
dovecot/imap-login
vmail     8161  0.0  0.0  46072  9760 ?        S    12:01   0:00 dovecot/imap
dovenull  8162  0.0  0.0  18196  4548 ?        S    12:01   0:00
dovecot/imap-login
dovenull  8279  0.0  0.0  18332  4736 ?        S    12:22   0:00
dovecot/imap-login
vmail     8280  0.0  0.0  40712  5164 ?        S    12:22   0:00 dovecot/imap
dovenull  8341  0.0  0.0  18196  4740 ?        S    12:25   0:00
dovecot/imap-login
vmail     8344  0.0  0.0  46312 10568 ?        S    12:25   0:00 dovecot/imap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150826/3e187723/attachment.sig>