Shared Mailboxes in Dovecot Cluster & director configuration
Vincent Brillault
vincent.brillault at cern.ch
Tue Jun 8 14:46:20 EEST 2021
Hi!
I've been trying to set a shared namespace on a test dovecot cluster and
I've had some weird issues. I'm not sure if this is a feature or a bug,
so please advice.
As some features (like acl_ignore_namespace) are only in the upcoming
2.3.15, after some initial debugging, I've update the system I'm using
to the master branches (df1b4b8750fdb87d38ac9accb8a1dea02ac3ce2e for
core and 7090e62564bcb7bff7efc89bd2a42b1d32d9e475 for pigeonhole), but
it didn't change the initial issues I was having.
I've been following
https://doc.dovecot.org/configuration_manual/shared_mailboxes/cluster_setup/
and linked documentations to set up the cluster. You'll find at the end
of the mail the parts of the configuration that seems to be relevant.
The issues I've had was with the `You’ll need to setup master user
logins to work for all the users.` and `imapc_master_user` (for which
the bullet points recommend to use `%{userdb:sharing_user}` but is then
set to `%u` in the example.
For the sake of the tests, I'm using one director and one backend. On
this installation:
- user1 shared the folder 'Junk' with user2
- after logging as user2, I run `a2 SELECT shared/user1/Junk`
Initially on the director, I had (excluding other, unrelated configuration):
```
# Connection back from backends for shared mailbox access
passdb {
args = password=XXXX allow_nets=${IPs of backend}
driver = static
master = yes
mechanisms = plain
result_success = continue
}
```
However, this lead to login failures on the director as the backend was
logging directly as user1, without master user set!
After further debugging, I now have on the director:
```
# Connection back from backends for shared mailbox access
passdb {
args = password=XXXX allow_nets=${IPs of backend}
driver = static
master = yes
mechanisms = plain
result_success = continue
}
passdb {
args = password=XXXX allow_nets=${IPs of backend}
driver = static
mechanisms = plain
result_success = continue
}
```
And this works! Looking at the log, it's not that my `imapc_master_user`
is not recognized, just that there are two imapc connections from the
backend to the frontend.
- The first one logs as user1 directly, with no master user set:
```
${backend} dovecot[29900]: imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
Debug: imapc(${director}:993): Authenticating as user1
```
- The second connection logs as expected, as user1 with user2 set as the
master user:
```
${backend} dovecot[29900]: imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
Debug: imapc(${director}:993): Authenticating as user2 for user user1
```
Is it normal to have these two connections back to the director? From
the documentation, I would have only expected the 2nd one.
Going further, if I add a static part to imapc_master_user, like for
example `imapc_master_user = X%{userdb:sharing_user}`, the logged
authentications become:
```
${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>: Debug:
imapc(${director}:993): Authenticating as X for user user1
[...]
${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>: Debug:
imapc(${director}:993): Authenticating as Xuser2 for user user1
```
It looks to me that for the first connection, imapc_master_user is
resolved with the wrong context, without `userdb:sharing_user` resolving
to anything?
Thanks in advance, let me know if you need more details.
Vincent Brillault
PS configuration details (relevant parts of doveconf -n):
- Backend:
```
auth_master_user_separator = *
imapc_features = fetch-bodystructure fetch-headers rfc822.size search modseq
imapc_host = ${director}
imapc_master_user = %{userdb:sharing_user}
imapc_password = # hidden, use -P to show it
imapc_port = 993
imapc_sasl_mechanisms = plain
imapc_ssl = imaps
imapc_ssl_verify = no
mail_plugins = acl zlib virtual fts fts_solr
namespace {
list = children
location = imapc:~/shared/%%u
prefix = shared/%%u/
type = shared
}
namespace Virtual {
hidden = yes
list = no
location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
prefix = Virtual/
separator = /
subscriptions = no
}
namespace inbox {
inbox = yes
location =
mailbox "Deleted Items" {
auto = subscribe
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox "Sent Items" {
auto = subscribe
special_use = \Sent
}
mailbox Spam {
auto = create
special_use = \Junk
}
prefix =
}
passdb {
args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
userdb_namespace/shared/disabled=yes
driver = static
master = yes
}
passdb {
args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
userdb_sharing_user=%u
driver = static
}
plugin {
acl = vfile:/etc/dovecot/dovecot-acl
acl_ignore_namespace = Virtual/
acl_ignore_namespace2 = shared/*
acl_shared_dict = file:/mail/sharing/shared-mailboxes
[...]
}
```
- Director (final & working version):
```
auth_master_user_separator = *
auth_mechanisms = plain login xoauth2 oauthbearer gssapi
auth_socket_path = director-userdb
passdb {
args = /etc/dovecot/passdb-masterusers.conf.ext
driver = ldap
master = yes
mechanisms = plain login
result_success = continue
}
passdb {
args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
driver = static
master = yes
mechanisms = plain
result_success = continue
}
passdb {
args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
driver = static
mechanisms = plain
result_success = continue
}
passdb {
args = /etc/dovecot/passdb-oauth2.conf.ext
driver = oauth2
mechanisms = xoauth2 oauthbearer
result_failure = return-fail
result_internalfail = return-fail
result_success = continue
}
passdb {
args = /etc/dovecot/passdb-cerndc.conf.ext
driver = ldap
}
```
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210608/61e74eb4/attachment-0001.sig>
More information about the dovecot
mailing list