[Dovecot] ACLs - what's the state of play?

Mike Brudenell pmb1 at york.ac.uk
Wed Feb 13 16:18:49 EET 2008 

Greetings -

Could someone help me understand what the latest situation id with  
regard to ACLs and sharing mailboxes, please?

Currently we are using Dovecot 1.0.x but will be moving to 1.1 when it  
comes out of Beta (and hopefully I'll get some time before too long to  
try building a test setup to play with).  So I'm happy to talk only  
about ACLs and sharing mailboxes in 1.1...

We are using Maildir storage format, and separate areas for each of  
the Control and Index files.  We are using real system users with  
filestore quotas.  Currently each user's files and directories are  
owner by their own uid and gid (but we can change this if need be),  
and are set to disallow filestore-level access to "group" or  
"others" (but we can change this too if need be).

We need to know (quite urgently) if the following is/will be possible  
with 1.1:

   *  Can person A have some (a subset) of their folders accessible by  
others?
      If so, can this be Read-Only?  can it be Read-Write?

   *  Can person A have all of their currently existing folders  
accessible
      by others, along with any folders they create in the future?

   *  Is there support for the IMAP ACL extension, enabling users to set
      and manage access rights themselves from their mail client?

   *  If system username "abc1" has made their top-level folder  
"Project"
      accessible by system username "def2", how does def2 actually  
specify
      the folder in order to open it?

I have rummaged through the archives and Wiki but mostly these still  
talk about the magical "dovecot-shared" and "dovecot-acl" files, and  
how these need to be created/maintained by the system administrator.

What we're hoping for is the Holy Grail of:

    *  a Manager wanting to give their Secretary read-write (or in  
some cases
       read-only) access to some or all of their folders;

    *  a Project Team wanting to access a common set of mail folders;

    *  etc

Under the old UW IMAP server you would authenticate as yourself, then  
specify someone else's folder with something like (the memory is hazy  
on this now):
     ~abc1/Project

In the Dovecot Wiki I read a lot about namespaces and so on, but can't  
seem to piece together in my mind what these actually *look* like to  
the end-user wanting to access someone else's shared mailbox.  Nor  
what can be done by the end-users, and what has to be done by the  
system administrator.

Can anyone offer me advice, please?

With many thanks,
Mike B-)

-- 
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

More information about the dovecot mailing list