[Dovecot] Public Namespace & ACL & Virtual Users

Thu Jun 15 04:58:31 EEST 2006

I have re-tested with beta9 from src but unfortunately the results are
fairly similar. The Public namespace (Shared Public Folders) work great
until I try and and control access with the ACL plugin.

Problems are:
1) dovecot-acl file within public namespace directory isn't found
2) global ACLs (vfile) partially work with virtual users but when used:
	a) non-ACL restricted public namespace directories stop working
	b) permitted users are unable to view or create sub-folders

I think all the above problems can be attributed to the fact the ACL
plugin ignores the namespace prefix. I did further testing with the
vfile using some suggestions from the list:

VFILE TESTING: ("vmail" is the local user)
--------
owner lrwstiekxa
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Dovecot Log: child 8872 (imap) killed with signal 11

--------
owner
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Dovecot Log: child 8872 (imap) killed with signal 11

--------
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not
accessible

--------
user=virtualuser1 at domain.com lrwstiek
--------
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not
accessible

Ideally I would like to use per-mailbox ACLs (dovecot-acl files) so I
could easily be selective on what directories were access controlled,
does anyone have a fix for this?

I have a couple of clients requiring access controlled Public Shared
Folders so sponsoring the fix/development is not out of the question.

Regards,
Gavin

On Thu, 2006-06-01 at 10:40 +1200, Fintec wrote: 
> Thanks for the reply Timo.
> 
> I think one of my main problems is that: "Namespace prefixes are
> currently ignored". My public namespace is defined as:
> 
> ---------- snip ----------
> namespace public {
>    separator = .
>    prefix = Public_Folders.
>    location = maildir:/home/vmail/domains/%
> d/Public_Folders:CONTROL=/home/vmail/domains/%d/%
> n/Public_Folders/support:INDEX=/home/vmail/domains/%d/%
> n/Public_Folders/index
>    hidden = no
> }
> ---------- snip ----------
> 
> This means when I try and add a dovecot-acl file into one of my
> Public_Folders (in the public name space) it isn't seen at all. I
> switched to using a vfile global acl which is at least seen but I'm
> getting mixed results. To test I created /etc/dovecot-acls/Management:
> user=user1 at domain.com lrwsiea
> user=user2 at domain.com lrwsie
> 
> If I add any more of the ACLs, for example k dovecot reports:
> dovecot: IMAP(user1 at domain.com): ACL file /etc/dovecot-acls/Management
> line 1: Unknown ACL 'k'
> 
> This means I have been able to restrict access to the Management folder
> but because I cannot add k to the ACL list I'm unable to create folders
> within this. Also, when using the vfile global ACL
> file  /etc/dovecot-acls/Management none of the other Public_Folder sub
> directories are available at all!
> 
> In summary:
> - dovecot-acl file within public namespace directory isn't found because
> ACL ignores namespace prefix
> - global ACLs partialy work with virtual users but currently not able to
> do more than lrwsiea
> - global ACLs stop other non-ACL restricted public namespace directories
> working (in my configuration)
> 
> Any help with this would be greatly appreciated!
> 
> Gavin
> 
> On Tue, 2006-05-30 at 14:59 +0300, Timo Sirainen wrote:
> > On Tue, 2006-05-30 at 11:28 +1200, Fintec wrote:
> > > Our implementation of dovecot (v1.0b7) uses many virtual users and
> > > domains and 1 actual user (vmail), all using maildir. So far I have
> > > successfully created the public namespace (Public_Folders) which every
> > > user can access but I'm having difficulty restricting access using ACls.
> > > 
> > > When trying to implement the dovecot ACL plug-in I followed the wiki
> > > instructions and created a "dovecot-acl" file within Public_Folders
> > > containing:
> > > owner lrwstiekxa
> > > user=user1 at domain.com lrwstiek
> > > 
> > > However this doesn't appear to do anything. All users can still access
> > > Public_Folders so I have a couple of questions that hopefully someone
> > > can help me with...
> > 
> > The problem here is that Dovecot assumes the logged in user owns the
> > mailbox. The ACLs were currently meant mostly to work with master user
> > logins, so the only case when owner doesn't match the logged in user is
> > when a master user logs in as someone else.
> > 
> > How do you define mailbox's owner anyway in cases like this? If the
> > mailbox exists in a public namespace, is anyone its owner? Well I guess
> > I'll try to figure out this when I'm really implementing the proper
> > shared mailbox support for Dovecot..
> > 
> > Anyway, this would work for you:
> > 
> > owner
> > user=real-owner-user lrwstiekxa
> > user=user1 at domain.com lrwstiek
> > 
> > Although after I tried it now, I found a bug which causes it to crash
> > with the empty owner list. Or actually that same bug could cause it to
> > break in other ways too, fix here:
> > 
> > http://dovecot.org/list/dovecot-cvs/2006-May/005609.html
> > 
> > > 2) Is it possible to create dovecot-acl files with virtual usernames,
> > > i.e. user1 at domain.com or does it have to be actual users, i.e. vmail?
> > 
> > They must be virtual usernames.
> > 
> > > 3) Is it possible to restrict access within the namespace definition,
> > > i.e. set up another public namespace restricted to manager at domain.com?
> > 
> > This sounds more like user-specific configuration, which is possible
> > with a kludgy imap-wrapper script which sets up proper namespace
> > environment variables before calling imap binary itself.
> > 
> > > 4) Is ACL accepts & denies logged somewhere other than /var/log/maillog
> > > (my default)?
> > 
> > They're not logged anywhere currently. Is it really useful? Seems like
> > it'd only fill up the logs. Optionally perhaps..
> > 
> 