[Dovecot] Preparing for sharing with ACLs

Timo Sirainen tss at iki.fi
Thu Mar 22 15:45:05 EET 2007 

On 22.3.2007, at 12.33, Mike Brudenell wrote:

> Q1.  Are there plans to add support for ACLs in the future, along  
> with an
>      end-user accessible means of setting these up and manipulating  
> them?

Sure, in the future. :)

> We are using filestore quotas for the Maildirs, so at present a  
> user's Maildir directories and files are owned by their username  
> (UNIX uid) and group (UNIX gid).

Just a reminder that control files can be problematic. http:// 
wiki.dovecot.org/Quota/FS

> So looking to the future, I'm therefore thinking that instead of  
> having each user's Maildir directories and files owned by their  
> UNIX uid and gid I should instead have them owned by their UNIX uid  
> and a common-to-everyone UNIX gid.  Eg,
>
>     drwxrwx---    user1:mail    directoryname
>     -rw-rw----    user1:mail    filename
>
> I realise there is an element of risk here, as we would be relying  
> on Dovecot's security to limit access so that only authorised users  
> can access a given person's mailbox.
>
> Is this the right approach to adopt?
> Or is there a better way of (one day) enabling Person A to share  
> their mailbox to Person B but not Person C?

I was thinking that the ACL plugin could some day be able to  
automatically figure out what would be the group containing the  
minimum set of users who can access the mailbox. If everything else  
fails, then use the "mail" group or something which contains everyone.

> (We need a solution that is general and based on ACLs, not one that  
> relies on our creating custom UNIX groups and assigning people's  
> usernames to these.)

If you don't want to create any kind of groups (like "administrative  
people", "students", etc.) then I guess the mail group is the only  
possibility. But don't give the users directly access to the mail  
group, just set Dovecot's mail_extra_groups = mail setting.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070322/ddbbf98e/attachment.pgp

More information about the dovecot mailing list