[Dovecot] restricting shared folders access

Timo Sirainen tss at iki.fi
Thu Aug 14 23:20:02 EEST 2008


On Aug 14, 2008, at 7:06 AM, Andrew Von Cid wrote:

>> Either that or use a different UID for all users (or the staff  
>> users). With ACLs you could create dovecot-acl file with either:
>>
>> a) Listing all the users who have access to it and their permissions
>> b) List staff group's access, and have your userdb return  
>> acl_groups=staff extra field for the staff users. This will work  
>> only with v1.1.
>
> I'm running 1.0.10 so I tried option 'a' using global ACLs.   
> However, I have a number of problems:
>
> I'm unable to grant permissions on the whole namespace, only per  
> folder.  Is this normal?
>
> Is it possible to grant permissions to a folder and all of it's  
> subfolders?  I gave a user the permission to create subfolders of a  
> folder, but it looks like I need to create a new ACL for every  
> subfolder created, otherwise it won't be visible.

Currently there's no way to set up recursive/default permissions. Yes,  
they would be nice.

> When I enabled the ACL plugin my other public namespace became  
> inaccessible.  When I try to access any of it's folders with  
> Thunderbird I get "Mailbox doesn't exist" error.  Is it possible to  
> allow access by default unless there is an ACL that says otherwise?

Not without making the namespace private. The only real difference  
there is that IMAP NAMESPACE command replies the namespace being  
private instead of public, but few clients support NAMESPACE so it  
probably doesn't really matter..

> The basic thing that I'm trying to do is to have two namespaces.   
> One public, shared between all users with read-write permission.   
> And the other accessible only to a small group of staff users.  In  
> both cases users need to be able to create and access any subfolders  
> without my intervention.   If I change the UID of the staff users  
> then they won't be able to access the public namespace, so this  
> isn't great either.  Is there any way I can get this working with  
> dovecot?

Dovecot's shared mailbox support is unfortunately pretty bad currently.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080814/1ea13c6d/attachment.bin 


More information about the dovecot mailing list