[Dovecot] Shared folder hierarchies, multiple groups

Benjamin R. Haskell dovecot at benizi.com
Thu Aug 2 17:12:41 EEST 2007


Hi,

I'm trying to set up two shared folder hierarchies on my Dovecot 
installation for two groups of employees, all of whom should only have 
access to their own hierarchy. Any employee should be able to create 
sub-folders and generally have full access to the hierarchy.

My initial setup was to create two public namespaces, Shared-One and 
Shared-Two. Each is a Maildir under /var/mail.

The actual shared folders seem to be working fine in terms of adding and 
accessing folders and messages, and there are no problems at all for the 
'admin' user, who belongs to both the shared1 and shared2 Unix groups.

The problem is for other users, where trying to (IMAP-) LIST folders 
fails.

(sanitized) IMAP session log: ('user2' is in group shared2)
* OK Dovecot ready.
A LOGIN user2 pass
A OK Logged in.
B LIST "" "%"
* LIST (\Noselect \HasChildren) "/" "Shared-One"
B NO Internal error occurred. Refer to server log for more information. [2007-08-02 09:01:23]

In the mail logs I find:
dovecot: IMAP(user2): stat(/var/mail/Shared-One/cur) failed: Permission denied

Relevant permissions:
2770/drwxrws--- shared1 shared1 /var/mail/Shared-One
2770/drwxrws--- shared1 shared1 /var/mail/Shared-One/cur
0660/-rw-rw---- shared1 shared1 /var/mail/Shared-One/dovecot-shared

And similarly for Shared-Two. (replace shared1 with shared2 everywhere)

Among other things, I've read:
http://wiki.dovecot.org/SharedMailboxes
http://wiki.dovecot.org/ACL
http://wiki.dovecot.org/MainConfig
http://wiki.dovecot.org/Namespaces

I don't want to use vfile ACL's (I think) because I want users to be 
able to create subfolders at will, and I don't want to have to add a 
dovecot-acl file per-folder. (Is there a way to set global defaults on a 
global basis? [not per-folder]) I also think there would be a problem with 
the hierarchies being similar. (e.g. both have a 'Projects' sub-folder, 
but there's a pretty clear WARNING on the wiki about mailbox name 
conflicts.)

I can't use symlinked Maildirs, because new subfolders get created under 
~user/Maildir/. (Want them under /var/mail/Shared-X/)

I can't use hidden namespaces, because employees use Outlook (uggh), and 
I couldn't figure out how to "find" the namespace when it was hidden. 
(That seemed like the closest thing to a solution - it solved the LIST 
problem.)

Ideally, Shared-Two wouldn't even be visible to members of Shared-One, and 
vice versa. But, that's at least an acceptable "problem" I could live 
with.

Any suggestions?

Thanks,
Ben


More information about the dovecot mailing list