[Dovecot] shared mailboxes and indexes

Sven Hartge sven at svenhartge.de
Fri Nov 23 17:53:01 EET 2012 

Timo Sirainen <tss at iki.fi> wrote:
> On 23.11.2012, at 13.27, Alessio Cecchi wrote:
>> Il 23/11/2012 08:07, Timo Sirainen ha scritto:

>>> BTW. Do you have multiple Dovecot backend servers? Director works
>>> only when you're not using shared mailboxes.. 
 
>> I'm not happy to hear that, so if today we are running one dovecot
>> server with shared mailbox enabled and tomorrow we will switch to a
>> more complex installation with Director we will be unable to still
>> provide shared mailbox to our customers?

> You can't reliably do it if the mailboxes are accessed directly via
> NFS. The current idea to solve this is to use imapc backend with
> master users, so the actual mailbox access for each user is always
> done by only one server. I think someone already managed to configure
> such a setup.

This was me.

It works (with one minor quirk, more on this later) in my current test
setup like so:

a) 1 to X user-servers with the users mailboxes on them
b) 1 shared-server with the shared mailboxes on them

On the user-servers I have namespace like this:

namespace {
  list = yes
  location = imapc:~/imapc-shared
  prefix = IMAPShared/
  separator = /
  subscriptions = no
  type = public
}

and a userdb like this:

userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = uid=virtmail gid=virtmail home=/srv/mail/%2MLn/%Ln/ imapc_password=%w quota_rule2=Trash:ignore
  driver = ldap
}

Note the "imapc_password=%w" in the default_fields. This is needed to
pass the users login-password to the shared-server.

The imapc proxy code is configured like this:

imapc_host = m-st-sh-01.example.com
imapc_master_user = %u
imapc_user = shared

This uses the original user as the master-user and a fixed user with the
original users password to login into the shared-server.

Note: You CANNOT have ACLs activated on the users-servers, because this
will interfere with the permissions of ht IMAPShared namespace,
rendering the mailboxes located in there unavailable for your users.

The shared-storage then uses a static passdb for the user "shared":

passdb {
  args = user=shared password=complicatedpasswordhere
  driver = static
}

and a static userdb for the virtual-user:

userdb {
  args = uid=virtmail gid=virtmail home=/srv/mail/%Ln
  driver = static
}

and additional a passdb for the "master" users:

passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  master = yes
  pass = yes
}

which are pulled from LDAP, just like on the user-servers.

Now the mentioned quirk: Because all connections on the shared-server
are made to the same user "shared" and are coming from very few IPs
(the 1 to X user-servers), you need to set a very high
mail_max_userip_connections value.

I set mine to 1000 just to be sure.

---> But: I have NOT configured login_trusted_networks, so this may be
my error in that case.

And, a second quirk: You can only offer admin-provided shared folders,
your users CANNOT share folders themselves, because there is quite some
manual work involved in creating and setting them up on the central
shared-server.

For example: To provide a Mailbox with the Name "Test.3" in IMAPShared I
need the following directory structure on m-st-sh-01.example.com:

/srv/mail/shared/mdbox/mailboxes/Test.3/

In .../Test.3/ there is the dbox-Mails folder with the indexes and other
meta information. The admin needs to create the dovecot-acl file to
configure the access permissions:

root at m-st-sh-01:/srv/mail/shared/mdbox/mailboxes/Test.3/dbox-Mails# cat dovecot-acl 
user=gbgr14 lrwstipek
user=bbgr99 lrwstipek

The users are then able to see those folders as IMAPShared/Test.3/,
subscriptions are managed inside the users own subscription file on
their respective "home" server, while flages and tags are shared.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

More information about the dovecot mailing list