[Dovecot] Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround

Adam McDougall mcdouga9 at egr.msu.edu
Fri May 11 00:12:51 EEST 2007 

Thanks for the clarification, I got around to testing the configuration
you claim to use, but unfortunately I cannot get an ACL to have any affect
on the mailbox access :(  Can you tell me what acl flags you are restricting
to (rl, etc) and what actual affect that has on the mail client in terms of 
behavior when attempting to perform an unallowed action?

I get this in the log:

May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: initializing backend with data: 
vfile:/usr/local/etc/dovecot-acls
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: acl username = mcdouga9
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: owner username = mcdouga9
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: Global ACL directory: 
/usr/local/etc/dovecot-acls
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: reading file 
/egr/mail/shared-dovecot2/decs/.support.In/dovecot-acl

# ls -ld .support.In
drwxrws---   5 postlocal decsall     4096 May  9 12:55 .support.In
# ls -ld .support.In/cur
drwxrwxr-x   2 postlocal decsstaff    8192 Apr 24 12:47 .support.In/cur
# ls -ld .support.In/cur/1177428192.M918738P11081.zee
-rw-rw-r--   1 postlocal decsstaff    2904 Apr 24 11:23 .support.In/cur/1177428192.M918738P11081.zee

mcdouga9 is in decsstaff, which has full write permission to the directory
and file.

I have inside that dovecot-acl:
user=mcdouga9 rl
group-override=wheel

I tried just user=mcdouga9 rl   first, no effect, added group-override=wheel
(mcdouga9 is a member of wheel) and restarted thunderbird, still seem to have
full access to the mailbox.  Argh.


On Tue, May 08, 2007 at 02:36:24PM -0400, Matt Zukowski wrote:

   The shared mailbox and all its files and subdirectories are owned by the 
   'dovecot' user and by the 'domain users' group that all users belong to. The 
   ACL restrictions cause a reduction (i.e. more fine-grained constraint) in 
   privileges. In other words, at the system-file level, everyone can read the 
   directory/files, but at the ACL level, only members of some particular list 
   of groups should be able to read them.
  
   And as I said, the user=<username> constraint seems to work fine, but 
   group=<groupname> does not. It looks like the group=<groupname> constraint 
   just never matches anyone. So I might have group=admins and "joeblow" is in 
   group admins, but Dovecot thinks that he isn't.
  
   Adam McDougall wrote:
  > What are the directory and file permissions of your shared folder,
  > and do your <permissions> cause an increase or reduction of permissions
  > compared to the dir and file permissions, or some of both? 
  > On Mon, May 07, 2007 at 02:47:40PM -0400, Matt Zukowski wrote:
  >
  >    I would just add to this that simply putting a dovecot-acl file in a
  >    shared folder with "user=<username> <permissions>" does work just fine
  >    for us (without the complicated setup described below). Our problem is
  >    that group-based restrictions don't work at all (i.e. "group=<groupname>
  >    <permissions>", as described in the manual).
  >      I'm also trying to figure out what the force-group ACL identifier is
  >    supposed to mean.
  >        .... I gotta stop hitting "reply" for this list. I keep accidentally 
  > sending    messages to the original authors rather than to the mailing list 
  > :)
  >         
  
  
  
   This e-mail message is privileged, confidential and subject to copyright. 
   Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent 
   courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il 
   est interdit de l'utiliser ou de le divulguer sans autorisation.

More information about the dovecot mailing list