Shared mailboxes setups and dictionaries

Wed Sep 16 02:52:02 EEST 2020

On 9/15/2020 10:07 AM, Matej Tyc wrote:
> On 14. 09. 20 22:46, Daniel Miller wrote:
>> On 9/14/2020 1:19 PM, Matej Tyc wrote:
>>> ...
>>>
>>> When learning about how ACL work in e.g. 
>>> [...] so I can't use 
>>> it to reverse-engineer the correct syntax.
>>>
>>
>> The global ACLs are...global. They apply to all matching mailboxes 
>> system-wide. So to answer your question, yes "* user=foo lrw" means 
>> all mailboxes of all accounts are shared to the user foo. But...
> 
> Great, what about the format itself? Is it 
> <namespace>/<account>/<mailbox>? The documentation brings up, i.e. 
> /john at example.com/* shares all mailboxes of John from the example.com 
> domain? Or have I overlooked a documentation page where the syntax is 
> introduced?

No. You need to read the docs again:
    https://doc.dovecot.org/settings/plugin/acl/

Global ACLs live in their own little space - either filesystem based or 
file based. You specify who is *granted* global access - and the level 
of that global access applies system-wide. So if you grant 
"john at example.com" global read/write access to all Inboxes - John will 
be able to access every Inbox of every user (however, he might not know 
that a given inbox exists - without explicit configuration or explicit 
sharing which updates the dictionary).

>>> Next what https://wiki.dovecot.org/SharedMailboxes/Shared and 
>>> https://wiki.dovecot.org/Dictionary describe is a possibility to 
>>> reference LDAP data to define an ACL dictionary. Do I understand it 
>>> correctly that if a LDAP database is the single source of truth, then 
>>> I don't have to worry about updating dictionaries as long as LDAP 
>>> itself is up-to-date, but I have to keep ACLs and LDAP in sync 
>>> manually (or using an application)?
>> Again, a dictionary is a list of shared mailboxes - not ACL's. You can 
>> use any dictionary source Dovecot can read from - but if the 
>> dictionary also supports writing then any manipulation of ACLs will 
>> automatically update the dictionary.
>>
>> What the above implies, and I will now state explicitly, is that while 
>> global ACLs provide *access* they do not *publish* that access. A 
>> dictionary must be manually updated to list those mailboxes.
> 
> What I understand is that ACLs are purely filesystem-based, i.e. no LDAP 
> backend, and one has to sync LDAP to respective ACLs "manually".
> 
> If I follow what you have said, one could have an equal result with a 
> database, syncing ACLs "manually" from LDAP, and doveadm will make sure 
> that the database backend will be up-to-date.

First, I provide the disclaimer that I don't use LDAP. I had it years 
ago and I'm quite happy to leave it behind. So I can't give you current 
LDAP/Dovecot experience. However, a quick read of the page you reference 
shows LDAP is read-only. Which means while you could theoretically use 
LDAP for a global ACL source - trying to use it for per-user shares 
would require quite a bit of manual effort for every change. I believe 
the technical term for such a setup is "masochistic".

I totally understand the desire to have a single database for general 
config purposes - however I think you're trying to use a power drill as 
a hammer. Leave your authentication database, i.e. LDAP, alone and let 
your mail server do its thing. Consider the mail store an entity as a 
whole - not just the messages, but the format, the folder structure, and 
the ACLs as a "black box" and I think you'll save yourself a lot of 
frustration. Dovecot (in my own uninformed opinion) is designed to be 
(mostly) autonomous and file-based - any database support is just for 
user/passwords and leave it at that.

If you want per-user shares just use the example at the top of the wiki 
page. From my own config:

plugin {
	acl = vfile
	acl_shared_dict = file:/var/mail/%d/shared-mailboxes
}

based on a mail_location of "sdbox:/var/mail/%d/%n/sdbox".

--
Daniel