dovecot-ceph-plugin icon indicating copy to clipboard operation
dovecot-ceph-plugin copied to clipboard

Published 20 hours ago verified publisher icon ceph-dovecot

looks like all mail users need to have access to /etc/ceph/ceph.client.mail.keyring

Open f1-outsourcing opened this issue 5 years ago • 2 comments

I have noticed that not the dovecot user, but all user accounts need to have access to the ceph.client.mail.keyring. Thus when I was testing with user test, test needed to have read access to the keyring file. I am not sure this is a desirable situation. I would prefer that the access to this file is limited to eg the dovecot user.

f1-outsourcing avatar Sep 14 '19 22:09 f1-outsourcing

This depends on your dovecot configuration I think. Imap/pop3/lmtp/smtp process opens the ceph connection. So the user configured for this processes needs access to the ceph config and keyfiles.

jrse avatar Sep 15 '19 12:09 jrse

i checked again. We only tested the plugin with virtual users. Currently we are opening the ceph connection as late as possible to save resources. It may be possible to move the open connection forward e.g. to the plugin init function. With some luck this could allow us to read the ceph certificate and configuration with the dovecot user. But this is untried yet.

jrse avatar Sep 16 '19 14:09 jrse