Marcus Rueckert wrote:
On 2010-08-25 14:13:53 +0200, Chris Moules wrote:
you can specify default ACLs in /etc/dovecot/acls? I did try this. Again, the issue being that they are not inherited to sub-folders, so a ACL for the INBOX is not used for all folders. You need a global ACL file named for each folder name. So if a client creates a folder called "My banana photo collection" you would need a file "/etc/dovecot/acls/My banana photo collection" with something like "authenticated rl"
It is not possible to have a global ACL for every possible folder name.
to quote http://wiki.dovecot.org/ACL :
[[[ Every time you create a new mailbox, it gets its ACLs from the parent mailbox. If you're creating a root-level mailbox, it uses the namespace's default ACLs. There is no actual inheritance, however: If you modify parent's ACLs, the child's ACLs stay the same. There is currently no support for ACL inheritance.
The default ACLs are read from "dovecot-acl" file in the namespace's mail root directory (e.g. /var/public/Maildir). ]]]
darix
Marcus / darix,
I read the wiki ACL thoroughly. I believe that you are missing the point.
source server -rsync-> destination server (Read/Write) (Read Only)
- I am _not_ doing everything though dovecot.
- Maildirs are being synced from one server to another (source -> destination).
- The 'new' mailbox (or folder as I have refered to them up until now) is created on the 'source' server (where ACLs are not enabled).
- The 'destination' dovecot system has the Maildir changed underneath it, direct disk access (rsync). The ACL plugin has no influence on it's creation, so no auto-created "dovecot-acl" file like the parent (or not).
- Global ACLs do not get inherited to the child mailboxes (I have not seen this written in black & white, my testing confirms this however). In the wiki Global ACLs have a different write-up to their 'standard' counterpart and need the full name / hierarchy.
The fact that my ACL/read-only dovecot server does not have any control over the creation of the maildirs means that the sync system would need to create a "dovecot-acl" file for all maildirs. This complicates the matter and leaves room for mistakes.
Through my research and testing I had the idea that using a dovecot plugin I could just tell the client that they only had read access to the server. This would avoid then need to have over-complex ACLs that looked like they would not, elegantly, solve my problem. The plugins did not seem over complex and I have been able to realize most of my need with very little code.
Regards
Chris