Hello,

 

We're trying to configure the shared mailbox feature\namespace on a dovecot 2.3 installation .

 

OS : Ubuntu 22.04 x64

Dovecot : 2:2.3.19.1-2+ubuntu20.04

 

Our test enviroment is based on a dovecot frontend ( director + proxy ) and a dovecot backend ( auth  and storage ), later we will think about increasing the number of backends and frontends ( if we got it right, as we plan to use multiple backends, we should use imapc in order to bind the sharer and the accessing user to the same backend )  .

 

On dovecot backend we've configured the new shared namespace, as stated in the documentation ( https://doc.dovecot.org/configuration_manual/shared_mailboxes/shared_mailboxes/#user-shared-mailboxes ) :

-- Dovecot conf --------------------

# Maildir's location is under home dir, which is returned by userdb.

mail_location = maildir:~/Maildir:VOLATILEDIR=/tmp_lock/%2.256Nu/%u

 

# Quota, mail_log plugins enabled everywhere

mail_plugins = quota notify acl fts fts_lucene mail_log mailbox_alias virtual

 

# Default namespace

namespace {

  hidden = no

  inbox = yes

  location =

  prefix =

  separator = /

  type = private

 

mailbox Sent {

   special_use = \Sent

   auto = create

}

mailbox Trash {

   special_use = \Trash

   auto = create

}

mailbox Drafts {

   special_use = \Drafts

   auto = create

}

mailbox SPAM {

   special_use = \Junk

  auto = create

}

}

 

# namespace used by virtual search

namespace {

   prefix = VrtSearch.

   separator = /

   location = virtual:/etc/dovecot-common-backend/virtual:INDEX=~/virtual

         hidden = yes

         subscriptions = no

         inbox = no

         list = no

}

 

 

# IMAP SHARING FEATURE

service dict {

  unix_listener dict {

    mode = 0600

    user = vpopmail

    group = vchkpw

  }

}

 

plugin {

  acl = vfile

  acl_ignore_namespace = shared/*

  acl_shared_dict = proxy::acl-mysql

}

 

dict {

  acl-mysql = mysql:/etc/dovecot-common-backend/dovecot-dict-sql.conf.ext

}

 

# namespace used for IMAP sharing feature

namespace {

  type = shared

  separator = /

  prefix = shared/%%u/

  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  list = children

  subscriptions = no

}

 

-- Dovecot dict sql --------------------

# IMAP SHARING FEATURE

connect = host=x.x.x.x dbname=xxxxxx user=xxxxxx password=xxxxxx

map {

  pattern = shared/shared-boxes/user/$to/$from

  table = imap_user_shares

  value_field = dummy

 

  fields {

    from_user = $from

    to_user = $to

  }

}

 

map {

  pattern = shared/shared-boxes/anyone/$from

  table = imap_anyone_shares

  value_field = dummy

 

  fields {

    from_user = $from

  }

}

 

-- Dict DB contents --------------------

mysql> select * from imap_user_shares;

+------------------------------------------+----------------------------------------+-------+

| from_user                                | to_user                                | dummy |

+------------------------------------------+----------------------------------------+-------+

| test.imapsharer01@td01.testdomain.it     | test.imapuser01@td01.testdomain.it     | 1     |

+------------------------------------------+----------------------------------------+-------+

 

 

For our tests, we've :

- created two users

test.imapsharer01@td01.testdomain.it

test.imapuser01@td01.testdomain.it

 

- Created two INBOX subfolders on the sharer01 user, giving user01 those permissions :

subfolder01 giving to user01 Full control

subfolder02ro giving to user01 list and read

 

- logging as user01 with thunderbird, we see the shared namespace tree :

shared

      test.imapsharer01@td01.testdomain.it

            subfolder01

            subfolder02

           

we're able to see the contents of each folder, even the INBOX .

Checking the folder properties, thunderbird reports that the user01 has full control on the INBOX of shared01 .

 

If we try to check the ACL via python script ( imaplib.gestacl ) or via doveadm, we can see that the sharer01 INBOX has no rights for user01 .

But via thunderbird ( or other email clients ) we can delete emails .

 

ACL - sharer01 accessing its folder

('OK', [b'INBOX test.imapsharer01@td01.testdomain.it lrwstipekxacd'])

('OK', [b'subfolder01 test.imapuser01@td01.testdomain.it akxeilprwtscd test.imapsharer01@td01.testdomain.it lrwstipekxacd'])

('OK', [b'subfolder02ro test.imapuser01@td01.testdomain.it lr test.imapsharer01@td01.testdomain.it lrwstipekxacd'])

 

ACL - user01 accessing sharer01 folders

('OK', [b'shared/test.imapsharer01@td01.testdomain.it/INBOX'])

('OK', [b'shared/test.imapsharer01@td01.testdomain.it/subfolder01 test.imapuser01@td01.testdomain.it akxeilprwtscd'])

('OK', [b'shared/test.imapsharer01@td01.testdomain.it/subfolder02ro test.imapuser01@td01.testdomain.it lr'])

 

Testing with doveadm shows the correct ACL :

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/INBOX

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'INBOX' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir

doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox

doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has no rights for mailbox

doveadm(test.imapuser01@td01.testdomain.it): Error: User test.imapuser01@td01.testdomain.it is missing 'lookup' right

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/INBOX is NOT visible in LIST

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/subfolder01

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'subfolder01' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.subfolder01

doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox

doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has rights: lookup read write write-seen write-deleted insert post expunge create delete admin

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox found from dovecot-acl-list

doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapsharer01@td01.testdomain.it found from ACL shared dict

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/subfolder01 is visible in LIST

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/subfolder02ro

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'subfolder02ro' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.subfolder02ro

doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox

doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has rights: lookup read

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox found from dovecot-acl-list

doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapsharer01@td01.testdomain.it found from ACL shared dict

doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/subfolder02ro is visible in LIST

 

in the debug log we can see the delete operation :

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Mailbox opened

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: acl vfile: file /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapuser01/Maildir/.Trash/dovecot-acl not found

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: Mailbox opened

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Adding field flags to cache for the first time (uid=0)

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: saving UID 0: Opened mail because: header Message-ID (Cache file is unusable)

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Adding field hdr.Message-ID to cache for the first time (uid=0)

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: UID 1: Expunge requested

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Purging (new file_seq=1668506005): creating cache

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Purging finished, file_seq changed 0 -> 1668506005, size=0 -> 412, max_uid=0

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Info: copy from shared/test.imapsharer01@td01.testdomain.it: box=Trash, uid=1, msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._@nl.aruba.it>

Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Info: expunge: box=shared/test.imapsharer01@td01.testdomain.it, uid=1, msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._@nl.aruba.it>

Nov 15 10:53:26 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: UID 1: Mail expunged

 

After we delete a message, we cannot find it on the Trash folders ( user01 or sharer01 ) .

 

 

Are we missing something ?

 

 

Thanks

Stefano