4
Dovecot supports master/master replication using dsync. It's recommended that
5
the same user always gets redirected to the same replica, but no changes get
6
lost even if the same user modifies mails simultaneously on both replicas, some
7
mails just might have to be redownloaded. The replication is done
8
asynchronously, so high latency between the replicas isn't a problem. The
9
replication is done by looking at Dovecot index files (not what exists in
10
filesystem), so no mails get lost due to filesystem corruption or an accidental
11
rm -rf, they will simply be replicated back.
13
NOTE: v2.2 is highly recommended for this. Earlier versions can't do
14
incremental metadata syncing. This means that the more mails a mailbox has, the
15
slower it is to sync it.
17
Make sure that user listing is configured for your userdb, this is required by
20
---%<-------------------------------------------------------------------------
22
---%<-------------------------------------------------------------------------
24
Enable the replication plugin globally (most likely you'll need to do this in
27
---%<-------------------------------------------------------------------------
28
mail_plugins = $mail_plugins notify replication
29
---%<-------------------------------------------------------------------------
31
Replicator process should be started at startup, so it can start replicating
34
---%<-------------------------------------------------------------------------
38
---%<-------------------------------------------------------------------------
40
You need to configure how and where to replicate. Using SSH for example:
42
---%<-------------------------------------------------------------------------
43
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
45
mail_replica = remote:vmail@anotherhost.example.com
47
---%<-------------------------------------------------------------------------
49
The mail processes need to have access to the replication-notify fifo and
50
socket. If you have a single vmail UID, you can do:
52
---%<-------------------------------------------------------------------------
54
fifo_listener replication-notify-fifo {
57
unix_listener replication-notify {
61
---%<-------------------------------------------------------------------------
63
The replication-notify only notifies the replicator processes that there is
64
work to be done, so it's not terribly insecure either to just set 'mode=0666'.
66
Enable doveadm replicator commands by setting:
68
---%<-------------------------------------------------------------------------
70
unix_listener replicator-doveadm {
74
---%<-------------------------------------------------------------------------
76
dsync over TCP connections (v2.2+)
77
----------------------------------
79
Create a listener for doveadm-server:
81
---%<-------------------------------------------------------------------------
87
---%<-------------------------------------------------------------------------
89
And tell doveadm client to use this port by default:
91
---%<-------------------------------------------------------------------------
93
---%<-------------------------------------------------------------------------
95
Both the client and the server also need to have a shared secret:
97
---%<-------------------------------------------------------------------------
98
doveadm_password = secret
99
---%<-------------------------------------------------------------------------
101
Now you can use 'tcp:hostname' as the dsync target. You can also override the
102
port with 'tcp:hostname:port'.
104
---%<-------------------------------------------------------------------------
106
mail_replica = tcp:anotherhost.example.com # use doveadm_port
107
#mail_replica = tcp:anotherhost.example.com:12345 # use port 12345 explicitly
109
---%<-------------------------------------------------------------------------
114
You can also use SSL for the connection:
116
---%<-------------------------------------------------------------------------
123
---%<-------------------------------------------------------------------------
125
The client must be able to verify that the SSL certificate is valid, so you
126
need to specify the directory containing valid SSL CA roots:
128
---%<-------------------------------------------------------------------------
129
ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
130
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
131
---%<-------------------------------------------------------------------------
133
Now you can use 'tcps:hostname' or 'tcps:hostname:port' as the dsync target.
135
Note that the SSL certificate must be signed by one of the CAs in the
136
'ssl_client_ca_dir' or 'ssl_client_ca_file'. You can't use a self-signed
137
certificate or a private CA, unless you correctly set them up into the CA
138
file/directory (see openssl documentation for details).
140
dsync wrapper script for root SSH login (v2.2+)
141
-----------------------------------------------
143
If you're using multiple UIDs, dsync needs to be started as root, which means
144
you need to log in as root with ssh (or use sudo). Another possibility is to
145
allow root to run only a wrapper script. There is some built-in support for
146
this in v2.2+ to make it easier:
150
---%<-------------------------------------------------------------------------
151
dsync_remote_cmd = /usr/bin/ssh -i /root/.ssh/id_dsa.dsync %{host}
152
/usr/local/bin/dsync-in-wrapper.sh
154
mail_replica = remoteprefix:vmail@anotherhost.example.com
156
---%<-------------------------------------------------------------------------
158
/root/.ssh/authorized_keys:
160
---%<-------------------------------------------------------------------------
161
command="/usr/local/bin/dsync-in-wrapper.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
163
---%<-------------------------------------------------------------------------
165
/usr/local/bin/dsync-in-wrapper.sh:
167
---%<-------------------------------------------------------------------------
169
ulimit -c unlimited # for debugging any crashes
170
/usr/local/bin/doveadm dsync-server -u $username
171
---%<-------------------------------------------------------------------------
176
With v2.2.9+ you can configure what parameters replicator uses for the 'doveadm
179
---%<-------------------------------------------------------------------------
180
replication_dsync_parameters = -d -N -l 30 -U
181
---%<-------------------------------------------------------------------------
183
The '-f' and '-s' parameters are added automatically when needed.
185
Usually the only change you may want to do is replace '-N' (= sync all
186
namespaces) with '-n <namespace>' or maybe just add '-x <exclude>'
192
Random things to remember:
194
* The replicas can't share the same quota database, since both will always
196
* With mdbox format "doveadm purge" won't be replicated
197
* "doveadm force-resync", "doveadm quota recalc" and other similar fixing
198
commands don't get replicated
199
* The servers must have different hostnames or the locking doesn't work and
200
can cause replication problems.
201
* v2.2.6+: If you're having trouble, verify that 'dovecot --hostdomain'
202
returns different values for the servers.
204
(This file was created from the wiki on 2013-11-24 04:42)