I have an update, I realize now that my ACL is working, however applying the ACL still does nothing to improve the original problem that dovecot doesn't seem to communicate permission failures to the client, which allows the client to become out of sync with reality on the server.
I'm really not sure how dovecot might currently determine if a folder is read only on disk, because there seems to be some handling for that case in the code. Perhaps if I knew what part of the code (or an explanation) of why it thinks a folder is not writable, I could use that to my advantage and try to make folders look more "read only" on disk.
On Sun, May 06, 2007 at 09:34:28PM -0400, Adam McDougall wrote:
First of all, I think dovecot is really fantastic and I have thanks for all the hard work. I think it will be the best fit for my ~5000 users when I have it setup completely. We normally have approx 500 concurrent IMAP connections during the day.
I am trying to convert from courier-imap to dovecot, but I have an issue with public namespace folders that are not writable by certain users. Please let me know if I need to provide more information or how I can help solve this issue.
<snip> I don't know how courier stores and checks mail directory permissions, but it was aware when a user would not be able to delete or change messages and would return a READ-ONLY imap error when an attempt to change a message occurred (courier returns this in the IMAP response to update mail flags to reflect that the client wants to move to delete a mail). I understand that imap clients will usually only set status as read or deleted first and only try to delete an email for real on expunge, but it seems dovecot does not try to detect if a message is modifyable before it is too late for the user to find out. What happens is a user appears to be able to mark messages read, move them to another folder, or delete them (another way of moving to another folder eg. Trash). The user is clueless that the changes will not occur, and only finds out later when they reload the folder to find the messages back, or tries to expunge and get an unhelpful 'internal error' from dovecot (I can help trace this situation if it helps, but I think that stage should not be reached if things were working right). My configuration has the public folder control and indexes inside a user's home directory, so it will always be possible for dovecot to record message status changes, however I do not think dovecot should update the control and indexes to reflect an IMAP operation that is not allowed to complete due to restricted permissions on the actual email file. I suppose dovecot would have to check the permissions on mail message files.
<snip portion about ACLs>
# dovecot --version 1.0.0
The reason I have so many public spaces below, is to match the existing directory structure we setup for courier, and also to help us keep the directory listing more tidy since otherwise we would end up with many folders all under one directory. Some of them have monthly rotation and it could get out of hand if we did not split them up. I understand it makes things more difficult for the global acl list at present, if I were to use it, but I may not have any conflicting folder names at this time.
# dovecot -n # /usr/local/etc/dovecot.conf ssl_cert_file: /usr/local/etc/apache2/ssl/mail.egr.msu.edu.pem ssl_key_file: /usr/local/etc/apache2/ssl/mail.egr.msu.edu.pem login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 0 mail_location: maildir:~/Maildir:CONTROL=%h/Maildir/dovecot/private/control:INDEX=%h/Maildir/dovecot/private/indexes mail_debug: yes mmap_disable: yes maildir_copy_with_hardlinks: yes mail_plugins: acl mail_log_max_lines_per_sec: 0 imap_client_workarounds: delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep namespace: type: public separator: / prefix: #shared/be/ location: maildir:/egr/mail/shared-dovecot2/be:CONTROL=%h/Maildir/dovecot/public/control/be:INDEX=%h/Maildir/dovecot/public/indexes/be namespace: type: public separator: / prefix: #shared/cee/ location: maildir:/egr/mail/shared-dovecot2/cee:CONTROL=%h/Maildir/dovecot/public/control/cee:INDEX=%h/Maildir/dovecot/public/indexes/cee namespace: type: public separator: / prefix: #shared/chems/ location: maildir:/egr/mail/shared-dovecot2/chems:CONTROL=%h/Maildir/dovecot/public/control/chems:INDEX=%h/Maildir/dovecot/public/indexes/chems namespace: type: public separator: / prefix: #shared/decs/ location: maildir:/egr/mail/shared-dovecot2/decs:CONTROL=%h/Maildir/dovecot/public/control/decs:INDEX=%h/Maildir/dovecot/public/indexes/decs namespace: type: public separator: / prefix: #shared/egr/ location: maildir:/egr/mail/shared-dovecot2/egr:CONTROL=%h/Maildir/dovecot/public/control/egr:INDEX=%h/Maildir/dovecot/public/indexes/egr namespace: type: public separator: / prefix: #shared/me/ location: maildir:/egr/mail/shared-dovecot2/me:CONTROL=%h/Maildir/dovecot/public/control/me:INDEX=%h/Maildir/dovecot/public/indexes/me namespace: type: public separator: / prefix: #shared/org/ location: maildir:/egr/mail/shared-dovecot2/org:CONTROL=%h/Maildir/dovecot/public/control/org:INDEX=%h/Maildir/dovecot/public/indexes/org namespace: type: public separator: / prefix: #shared/toptest/ location: maildir:/egr/mail/shared-dovecot2/toptest:CONTROL=%h/Maildir/dovecot/public/control/toptest:INDEX=%h/Maildir/dovecot/public/indexes/toptest namespace: type: public separator: / prefix: #shared/ugs/ location: maildir:/egr/mail/shared-dovecot2/ugs:CONTROL=%h/Maildir/dovecot/public/control/ugs:INDEX=%h/Maildir/dovecot/public/indexes/ugs namespace: type: public separator: / prefix: #shared/vprgs/ location: maildir:/egr/mail/shared-dovecot2/vprgs:CONTROL=%h/Maildir/dovecot/public/control/vprgs:INDEX=%h/Maildir/dovecot/public/indexes/vprgs namespace: type: private separator: / prefix: mail/ hidden: yes namespace: type: private separator: / location: maildir:~/Maildir:CONTROL=%h/Maildir/dovecot/private/control:INDEX=%h/Maildir/dovecot/private/indexes inbox: yes auth default: mechanisms: plain login passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth user: postfix group: postfix master: plugin: acl: vfile:/usr/local/etc/dovecot-acls
Thanks.