Shared mailboxes setups and dictionaries

Matej Tyc matej.tyc at gmail.com
Tue Sep 15 20:07:27 EEST 2020 

On 14. 09. 20 22:46, Daniel Miller wrote:
> On 9/14/2020 1:19 PM, Matej Tyc wrote:
>> ...
>>
>> When learning about how ACL work in e.g. 
>> https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use 
>> the Global ACL file, how does one link it to a particular user's 
>> mailboxes? Examples that are listed in the documentation are far too 
>> generic. For example does "* user=foo lrw" imply that all mailboxes 
>> of all accounts are shared to the user foo? The doveadm command works 
>> only if dovecot is set up with per-mailbox ACL files, so I can't use 
>> it to reverse-engineer the correct syntax.
>>
>
> The global ACLs are...global. They apply to all matching mailboxes 
> system-wide. So to answer your question, yes "* user=foo lrw" means 
> all mailboxes of all accounts are shared to the user foo. But...

Great, what about the format itself? Is it 
<namespace>/<account>/<mailbox>? The documentation brings up, i.e. 
/john at example.com/* shares all mailboxes of John from the example.com 
domain? Or have I overlooked a documentation page where the syntax is 
introduced?

>> ...
>
> The ACLs grant/deny access to a specific mailbox - when that mailbox 
> is known to the client. But ACLs are never scanned or iterated over to 
> generate a list of available mailboxes - that's where the dictionary 
> comes in. The dictionary is a list of shared mailboxes - but that's 
> all it is. So when a client queries the server for a list of available 
> mailboxes the dictionary is consulted. The ACLs are then applied for 
> each transaction whenever a client tries to read/write/access/whatever 
> a specific mailbox. So theoretically, if you can manually specify the 
> shared mailbox correctly, no dictionary is required for access.
Thanks, that's a great explanation!
>> Next what https://wiki.dovecot.org/SharedMailboxes/Shared and 
>> https://wiki.dovecot.org/Dictionary describe is a possibility to 
>> reference LDAP data to define an ACL dictionary. Do I understand it 
>> correctly that if a LDAP database is the single source of truth, then 
>> I don't have to worry about updating dictionaries as long as LDAP 
>> itself is up-to-date, but I have to keep ACLs and LDAP in sync 
>> manually (or using an application)?
> Again, a dictionary is a list of shared mailboxes - not ACL's. You can 
> use any dictionary source Dovecot can read from - but if the 
> dictionary also supports writing then any manipulation of ACLs will 
> automatically update the dictionary.
>
> What the above implies, and I will now state explicitly, is that while 
> global ACLs provide *access* they do not *publish* that access. A 
> dictionary must be manually updated to list those mailboxes.

What I understand is that ACLs are purely filesystem-based, i.e. no LDAP 
backend, and one has to sync LDAP to respective ACLs "manually".

If I follow what you have said, one could have an equal result with a 
database, syncing ACLs "manually" from LDAP, and doveadm will make sure 
that the database backend will be up-to-date.

>
> -- 
> Daniel
>
Thank you very much for your explanations, I will propose a 
documentation PR once I figure out all of the missing bits.

More information about the dovecot mailing list