On 24.06.2019 8:21, Aki Tuomi wrote:> On 22.6.2019 22.00, Reio Remma via dovecot wrote: >> Hello! >> >> I finally took the time and spent two days to set up replication for >> my server and now I have a question or two. >> >> I initially set noreplicate userdb field to 1 for all but a test user, >> but I could still see in the logs that all mailboxes were trying to >> connect to the other server via SSH. Is that normal? >> >> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: >> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l >> vmail backup.host.ee doveadm dsync-server -D -u user at host.ee >> >> Then I ended up setting mail_replica in userdb for only my test user, >> but I could still see in the logs that it was trying to sync the >> others as well, despite mail_replica being 0 for the rest. >> >> Jun 22 20:52:59 host dovecot: doveadm(user at host.ee): Fatal: -N >> parameter requires syncing with remote host >> >> I also notice (and read from recent posts) that sieve script >> replication doesn't work at all. >> >> Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo. >> >> Thanks, >> Reio >> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun >> as usual. :) > > Hi! > > We are fixing this is 2.3.7, noreplicate works but causes errors. You > can try > https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you > are compiling yourself. > > Dovecot under selinux works, as long as you do it the way the policy > writer intended, see https://linux.die.net/man/8/dovecot_selinux > > AkiFor replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #============= dovecot_t =============allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190624/04e2e4e7/attachment.html>
On 24.06.2019 16:25, Reio Remma wrote:> On 24.06.2019 8:21, Aki Tuomi wrote: >> On 22.6.2019 22.00, Reio Remma via dovecot wrote: >>> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: >>> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l >>> vmail backup.host.ee doveadm dsync-server -D -uuser at host.ee >>> >>> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun >>> as usual. :) >> Dovecot under selinux works, as long as you do it the way the policy >> writer intended, seehttps://linux.die.net/man/8/dovecot_selinux >> >> Aki > > For replication over SSH I had to add the following module: > > module selinux-dovecot-replication-ssh 1.0; > > require { > type ssh_exec_t; > type ssh_home_t; > type dovecot_t; > class file { open read execute execute_no_trans }; > class dir { getattr search }; > } > > #============= dovecot_t =============> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; > allow dovecot_t ssh_home_t:dir { getattr search }; > allow dovecot_t ssh_home_t:file { open read }; > > ssh_exec_t to allow Dovecot to use ssh executable in the first place > and ssh_home_t:dir + ssh_home_t:file for it to be able to read > known_hosts from /root/.ssh > > ReioTo cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action: Aug? 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'. Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is: allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; Is there a way I can change from root to vmail user for creating the SSH connection? Doveconf below: # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: turin.mrstuudio.ee doveadm_api_key = # hidden, use -P to show it dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host} doveadm dsync-server -u %u mail_gid = vmail mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir mail_log_prefix = "%s(%u): " mail_plugins = quota notify replication mail_uid = vmail mbox_write_locks = fcntl namespace inbox { ? inbox = yes ? location ? mailbox "Deleted Messages" { ??? auto = no ??? special_use = \Trash ? } ? mailbox Drafts { ??? auto = subscribe ??? special_use = \Drafts ? } ? mailbox Junk { ??? auto = no ??? special_use = \Junk ? } ? mailbox Sent { ??? auto = subscribe ??? special_use = \Sent ? } ? mailbox "Sent Messages" { ??? auto = no ??? special_use = \Sent ? } ? mailbox Spam { ??? auto = subscribe ??? special_use = \Junk ? } ? mailbox Trash { ??? auto = subscribe ??? special_use = \Trash ? } ? prefix = INBOX. ? separator = . ? type = private } passdb { ? args = /etc/dovecot/dovecot-sql.conf.ext ? driver = sql } plugin { ? mail_replica = remote:vmail at replica } protocols = imap lmtp service aggregator { ? fifo_listener replication-notify-fifo { ??? user = vmail ? } ? unix_listener replication-notify { ??? user = vmail ? } } service doveadm { ? inet_listener http { ??? address = localhost ??? port = 8080 ? } } service imap-login { ? inet_listener imap { ??? port = 0 ? } ? inet_listener imaps { ??? port = 993 ??? ssl = yes ? } } service lmtp { ? executable = lmtp -L } service replicator { ? process_min_avail = 1 ? unix_listener replicator-doveadm { ??? mode = 0600 ??? user = vmail ? } } service stats { ? unix_listener stats-writer { ??? mode = 0666 ? } } userdb { ? args = /etc/dovecot/dovecot-sql.conf.ext ? default_fields = uid=vmail gid=vmail ? driver = sql } protocol lmtp { ? mail_plugins = quota notify replication } protocol imap { ? imap_capability = +SPECIAL-USE ? imap_metadata = yes ? mail_max_userip_connections = 50 ? mail_plugins = quota notify replication imap_quota ? namespace inbox { ??? location ??? mailbox Ham { ????? autoexpunge = 365 days ??? } ??? mailbox Spam { ????? autoexpunge = 365 days ??? } ??? mailbox Trash { ????? autoexpunge = 180 days ??? } ??? prefix ? } } Thanks! Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190806/d8a313ca/attachment.html>
On 06.08.2019 23:17, Reio Remma via dovecot wrote:> On 24.06.2019 16:25, Reio Remma wrote: >> On 24.06.2019 8:21, Aki Tuomi wrote: >>> On 22.6.2019 22.00, Reio Remma via dovecot wrote: >>>> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: >>>> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l >>>> vmail backup.host.ee doveadm dsync-server -D -uuser at host.ee >>>> >>>> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun >>>> as usual. :) >>> Dovecot under selinux works, as long as you do it the way the policy >>> writer intended, seehttps://linux.die.net/man/8/dovecot_selinux >>> >>> Aki >> >> For replication over SSH I had to add the following module: >> >> module selinux-dovecot-replication-ssh 1.0; >> >> require { >> type ssh_exec_t; >> type ssh_home_t; >> type dovecot_t; >> class file { open read execute execute_no_trans }; >> class dir { getattr search }; >> } >> >> #============= dovecot_t =============>> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; >> allow dovecot_t ssh_home_t:dir { getattr search }; >> allow dovecot_t ssh_home_t:file { open read }; >> >> ssh_exec_t to allow Dovecot to use ssh executable in the first place >> and ssh_home_t:dir + ssh_home_t:file for it to be able to read >> known_hosts from /root/.ssh >> >> Reio > > To cut down on selinux exceptions I put the destination host in > /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however > I get the following log entry for every replicator action: > > Aug? 6 22:25:59 turin dovecot: doveadm: Error: Could not create > directory '/root/.ssh'. > > Replication is set up with the user vmail (/home/vmail and SSH key in > /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read > the key is: > > allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; > > Is there a way I can change from root to vmail user for creating the > SSH connection? > > Doveconf below: > > # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf > > service doveadm { > ? inet_listener http { > ??? address = localhost > ??? port = 8080 > ? } > }service doveadm { ??? user = vmail } This seems to have fixed it. Here's hoping for no unforeseen side-effects. :) I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts). Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190806/34715e23/attachment-0001.html>