[Dovecot] Acl, Namespace, User Confusion

Jim Horner jhorner at arinbe.com
Thu Aug 17 08:34:52 EEST 2006


Thanks for the reply.

> 2) Make LDAP return system_user. That makes Dovecot get the groups for
> that user. So something like:
>
> pass_attrs = uid=user,uid=system_user,userPassword=password

Sorry I didn't mention this. I am doing exactly as you state (I think). 

user_attrs = 
mail=user,mailbox=home,uid=system_user,uidNumber=uid,gidNumber=gid

pass_attrs = 
mail=user,userPassword=password,uid=userdb_user,uid=userdb_system_u
ser,mailbox=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

The problem is not so much that jdoe and jsmith can not see the company mail 
folder as it is so can everyone else. I would like it so only jdoe and jsmith 
see the "COMPANY" namespace. However if I lock down the folder using unix 
permissions:

drwxrwx---  4 cmpymail  cmpymail 4096 2006-08-13 02:21 cmpymail
drwxrwx---  3 jdoe      users    4096 2005-11-21 13:34 jdoe
drwxrwx---  3 jsmith    users    4096 2006-08-13 02:27 jsmith
drwxrwx---  3 fred      users    4096 2006-08-13 02:27 fred
drwxrwx---  3 wilma     users    4096 2006-08-13 02:27 wilma

then fred, wilma get "IMAP(wilma at arinbe.com): 
opendir(/home/services/mail/arinbe.com/cmpymail/Maildir) failed: Permission 
denied" error messages.

I'm fine with the error. It makes sense. I just don't know how to configure 
dovecot so the user (fred, wilma) don't see the error.

As I understand it

dovecot-shared file is for deliver (dovecot lda) so it knows what permissions 
to give mail files.

dovecot-acl provides, I am not sure? Can it override unix permissions? Doesn't 
appear so. If the user logged in doesn't have unix permission to access the 
folder then how can dovecot-acl be accessed? It also appears that if I set 
the unix permissions on the folder to cmpymail.users then dovecot-acl doesn't 
do anything to stop fred and wilma from accessing the folder since they have 
unix permission access to that folder (they (everyone) are in the users 
group).

Should I make everyone a static uid like

  userdb static {
    args = uid=1500 gid=1500 home=/home/services/mail/%d/%n
  }

remove unix permissions, chown vuser.vuser for all mail folders and put a 
dovecot-acl in the folders/namespace I want to protect? Does it have to be 
that way? I kind of like seeing the login process and who it belongs to... 
though this is "black" box and no one can log into it.

I guess my example is pretty lame compared to what ACLs are suppose to be able 
to do in IMAP but I imagine something similar to what samba does for shares 
like a "users" parameter.

namespace public {
   separator = .
   prefix = COMPANY.
   users = someuser @somegroup
   location = 
maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index
   hidden = no
}

Thanks,

Jim



More information about the dovecot mailing list