[Dovecot] Public Namespace & ACL & Virtual Users
Fintec
mailing_list at fintec.co.nz
Thu Jun 15 04:58:31 EEST 2006
I have re-tested with beta9 from src but unfortunately the results are
fairly similar. The Public namespace (Shared Public Folders) work great
until I try and and control access with the ACL plugin.
Problems are:
1) dovecot-acl file within public namespace directory isn't found
2) global ACLs (vfile) partially work with virtual users but when used:
a) non-ACL restricted public namespace directories stop working
b) permitted users are unable to view or create sub-folders
I think all the above problems can be attributed to the fact the ACL
plugin ignores the namespace prefix. I did further testing with the
vfile using some suggestions from the list:
VFILE TESTING: ("vmail" is the local user)
--------
owner lrwstiekxa
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Dovecot Log: child 8872 (imap) killed with signal 11
--------
owner
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Dovecot Log: child 8872 (imap) killed with signal 11
--------
user=vmail lrwstiekxa
user=virtualuser1 at domain.com lrwstiek
--------
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not
accessible
--------
user=virtualuser1 at domain.com lrwstiek
--------
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not
accessible
Ideally I would like to use per-mailbox ACLs (dovecot-acl files) so I
could easily be selective on what directories were access controlled,
does anyone have a fix for this?
I have a couple of clients requiring access controlled Public Shared
Folders so sponsoring the fix/development is not out of the question.
Regards,
Gavin
On Thu, 2006-06-01 at 10:40 +1200, Fintec wrote:
> Thanks for the reply Timo.
>
> I think one of my main problems is that: "Namespace prefixes are
> currently ignored". My public namespace is defined as:
>
> ---------- snip ----------
> namespace public {
> separator = .
> prefix = Public_Folders.
> location = maildir:/home/vmail/domains/%
> d/Public_Folders:CONTROL=/home/vmail/domains/%d/%
> n/Public_Folders/support:INDEX=/home/vmail/domains/%d/%
> n/Public_Folders/index
> hidden = no
> }
> ---------- snip ----------
>
> This means when I try and add a dovecot-acl file into one of my
> Public_Folders (in the public name space) it isn't seen at all. I
> switched to using a vfile global acl which is at least seen but I'm
> getting mixed results. To test I created /etc/dovecot-acls/Management:
> user=user1 at domain.com lrwsiea
> user=user2 at domain.com lrwsie
>
> If I add any more of the ACLs, for example k dovecot reports:
> dovecot: IMAP(user1 at domain.com): ACL file /etc/dovecot-acls/Management
> line 1: Unknown ACL 'k'
>
> This means I have been able to restrict access to the Management folder
> but because I cannot add k to the ACL list I'm unable to create folders
> within this. Also, when using the vfile global ACL
> file /etc/dovecot-acls/Management none of the other Public_Folder sub
> directories are available at all!
>
> In summary:
> - dovecot-acl file within public namespace directory isn't found because
> ACL ignores namespace prefix
> - global ACLs partialy work with virtual users but currently not able to
> do more than lrwsiea
> - global ACLs stop other non-ACL restricted public namespace directories
> working (in my configuration)
>
> Any help with this would be greatly appreciated!
>
> Gavin
>
> On Tue, 2006-05-30 at 14:59 +0300, Timo Sirainen wrote:
> > On Tue, 2006-05-30 at 11:28 +1200, Fintec wrote:
> > > Our implementation of dovecot (v1.0b7) uses many virtual users and
> > > domains and 1 actual user (vmail), all using maildir. So far I have
> > > successfully created the public namespace (Public_Folders) which every
> > > user can access but I'm having difficulty restricting access using ACls.
> > >
> > > When trying to implement the dovecot ACL plug-in I followed the wiki
> > > instructions and created a "dovecot-acl" file within Public_Folders
> > > containing:
> > > owner lrwstiekxa
> > > user=user1 at domain.com lrwstiek
> > >
> > > However this doesn't appear to do anything. All users can still access
> > > Public_Folders so I have a couple of questions that hopefully someone
> > > can help me with...
> >
> > The problem here is that Dovecot assumes the logged in user owns the
> > mailbox. The ACLs were currently meant mostly to work with master user
> > logins, so the only case when owner doesn't match the logged in user is
> > when a master user logs in as someone else.
> >
> > How do you define mailbox's owner anyway in cases like this? If the
> > mailbox exists in a public namespace, is anyone its owner? Well I guess
> > I'll try to figure out this when I'm really implementing the proper
> > shared mailbox support for Dovecot..
> >
> > Anyway, this would work for you:
> >
> > owner
> > user=real-owner-user lrwstiekxa
> > user=user1 at domain.com lrwstiek
> >
> > Although after I tried it now, I found a bug which causes it to crash
> > with the empty owner list. Or actually that same bug could cause it to
> > break in other ways too, fix here:
> >
> > http://dovecot.org/list/dovecot-cvs/2006-May/005609.html
> >
> > > 2) Is it possible to create dovecot-acl files with virtual usernames,
> > > i.e. user1 at domain.com or does it have to be actual users, i.e. vmail?
> >
> > They must be virtual usernames.
> >
> > > 3) Is it possible to restrict access within the namespace definition,
> > > i.e. set up another public namespace restricted to manager at domain.com?
> >
> > This sounds more like user-specific configuration, which is possible
> > with a kludgy imap-wrapper script which sets up proper namespace
> > environment variables before calling imap binary itself.
> >
> > > 4) Is ACL accepts & denies logged somewhere other than /var/log/maillog
> > > (my default)?
> >
> > They're not logged anywhere currently. Is it really useful? Seems like
> > it'd only fill up the logs. Optionally perhaps..
> >
>
More information about the dovecot
mailing list