[Dovecot] disabling mail delivery for a user

[Frank Cusack]

On February 2, 2010 10:54:10 PM +0200 Timo Sirainen <tss at iki.fi> wrote:
> Oh, right. LDA only looks up userdb.

So when I access these disabled user's maildirs from another user's login,
how is imap finding them?  Simply by virtue of the acl_shared_dict and
mail_location setting?  Because moving them to my passwd.deny removes
the user from the single userdb, my passwd file.  imap still knows them
through the passdb (passdb.deny), but not the userdb.

Yep, that seems to be the case.  The target (disabled) user need not exist
in the userdb at all and dovecot/imap can still find their shared maildir.
That's interesting.  It seems it could lead to confusion and perhaps this
is not desirable?  Because what if my userdb overrides the mail_location
via proxy or load-balancing hash?  imap wouldn't be able to find the
correct maildir.

Also at first glance I would think that this means additional security
is needed for a distributed (SQL or otherwise) acl_shared_dict but in
addition to being in the acl_shared_dict, the dovecot-acl must grant
permission to the sharing user, so I think it's ok.  (And of course you
need good controls on a distributed acl_shared_dict anyway.)

In summary I would suggest that access to shared namespaces need to
include a userdb lookup to find the user's mail location, which doesn't
seem to be happening now, or at least it seems to be defaulting to
the global mail_location setting if the user is not found -- I suggest
a failed (not found) userdb lookup should invalidate the shared mailbox.

-frank