I have been testing shared mailboxes a bit a while ago, and this is buggy coded. I can't remember exactly what was wrong. But the implementation is not according to strict unix permissions as one would expect. I think I have noticed in the shared environment that files are changing ownership instead of just being modified which obviously is not a common practice.
Hi, I use pam_ldap.so to use LDAP to authenticate my users. I don't use virtual accounts, but every account is a unix account. I use a post login script to export the
ACL_GROUPS
variable to hold all unix groups the user belongs to. Each group corresponds to a shared mailbox, where UNIX group permission handle which user gets access to the mailbox. Recently I added acl files to the shared mailboxes that look like:group=some_group kxeilprwts
The Permissions of the user Mailboxes are generally 0700 and 0770 for shared mailboxes. The namespace of the shared Mailboxes looks something like:type=shared, prefix=Shared/%%u/ location= maildir:/somewhere/'%%d/%%n/Maildir:INDEX=/srv/mails/%d/%n/Maildir/shared /%%u
Everything works fine, except my log gets flooded with messages saying:open(/path/to/shared/mailbox) failed: Permission denied
andopendir(/path/to/shared) failed: Permission denied, missing +x perm, we're not in group
. The user should also not be in the group. This is also reproducible when I dodoveadm mailbox list -u some_unix_user
, where dovecot tries to list all of the mailboxes, even though the user does not have permissions to do so. Referenced here: https://doc.dovecot.org/main/core/config/shared_mailboxes.html it says "Dovecot assumes that it can access the other users' mailboxes". So should I just ignore the messages/write a syslog filter for them? How can I prevent dovecot from checking every shared mailbox, even though they don't have access to it?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org