Shared mailboxes setups and dictionaries

Daniel Miller dmiller at amfes.com
Mon Sep 14 23:46:31 EEST 2020 

On 9/14/2020 1:19 PM, Matej Tyc wrote:
> Hello,
> 
> I am relatively new to the world of MTAs and MDAs, and I try to set up 
> shared mailboxes.
> 
> So far I have somehow succeeded - I have defined a shared namespace and 
> I have managed to create per-mailbox ACL files thanks to the doveadm 
> command.
> 
> However, I have been following these resources and there were bits that 
> have puzzled me:
> 
> When learning about how ACL work in e.g. 
> https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use 
> the Global ACL file, how does one link it to a particular user's 
> mailboxes? Examples that are listed in the documentation are far too 
> generic. For example does "* user=foo lrw" imply that all mailboxes of 
> all accounts are shared to the user foo? The doveadm command works only 
> if dovecot is set up with per-mailbox ACL files, so I can't use it to 
> reverse-engineer the correct syntax.
> 

The global ACLs are...global. They apply to all matching mailboxes 
system-wide. So to answer your question, yes "* user=foo lrw" means all 
mailboxes of all accounts are shared to the user foo. But...

> An interesting aspect to ACLs are dictionaries. I understood it as some 
> kind of cache - if there is no dictionary or it is empty, then shared 
> mailboxes don't work. Conversely, dictionary itself is not enough, one 
> needs actual ACLs set up correctly. Is this a correct understanding?

The ACLs grant/deny access to a specific mailbox - when that mailbox is 
known to the client. But ACLs are never scanned or iterated over to 
generate a list of available mailboxes - that's where the dictionary 
comes in. The dictionary is a list of shared mailboxes - but that's all 
it is. So when a client queries the server for a list of available 
mailboxes the dictionary is consulted. The ACLs are then applied for 
each transaction whenever a client tries to read/write/access/whatever a 
specific mailbox. So theoretically, if you can manually specify the 
shared mailbox correctly, no dictionary is required for access.

> 
> Next what https://wiki.dovecot.org/SharedMailboxes/Shared and 
> https://wiki.dovecot.org/Dictionary describe is a possibility to 
> reference LDAP data to define an ACL dictionary. Do I understand it 
> correctly that if a LDAP database is the single source of truth, then I 
> don't have to worry about updating dictionaries as long as LDAP itself 
> is up-to-date, but I have to keep ACLs and LDAP in sync manually (or 
> using an application)?

Again, a dictionary is a list of shared mailboxes - not ACL's. You can 
use any dictionary source Dovecot can read from - but if the dictionary 
also supports writing then any manipulation of ACLs will automatically 
update the dictionary.

What the above implies, and I will now state explicitly, is that while 
global ACLs provide *access* they do not *publish* that access. A 
dictionary must be manually updated to list those mailboxes.

--
Daniel

More information about the dovecot mailing list