Thanks for the reply.
- Make LDAP return system_user. That makes Dovecot get the groups for that user. So something like:
pass_attrs = uid=user,uid=system_user,userPassword=password
Sorry I didn't mention this. I am doing exactly as you state (I think).
user_attrs = mail=user,mailbox=home,uid=system_user,uidNumber=uid,gidNumber=gid
pass_attrs = mail=user,userPassword=password,uid=userdb_user,uid=userdb_system_u ser,mailbox=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
The problem is not so much that jdoe and jsmith can not see the company mail folder as it is so can everyone else. I would like it so only jdoe and jsmith see the "COMPANY" namespace. However if I lock down the folder using unix permissions:
drwxrwx--- 4 cmpymail cmpymail 4096 2006-08-13 02:21 cmpymail drwxrwx--- 3 jdoe users 4096 2005-11-21 13:34 jdoe drwxrwx--- 3 jsmith users 4096 2006-08-13 02:27 jsmith drwxrwx--- 3 fred users 4096 2006-08-13 02:27 fred drwxrwx--- 3 wilma users 4096 2006-08-13 02:27 wilma
then fred, wilma get "IMAP(wilma@arinbe.com): opendir(/home/services/mail/arinbe.com/cmpymail/Maildir) failed: Permission denied" error messages.
I'm fine with the error. It makes sense. I just don't know how to configure dovecot so the user (fred, wilma) don't see the error.
As I understand it
dovecot-shared file is for deliver (dovecot lda) so it knows what permissions to give mail files.
dovecot-acl provides, I am not sure? Can it override unix permissions? Doesn't appear so. If the user logged in doesn't have unix permission to access the folder then how can dovecot-acl be accessed? It also appears that if I set the unix permissions on the folder to cmpymail.users then dovecot-acl doesn't do anything to stop fred and wilma from accessing the folder since they have unix permission access to that folder (they (everyone) are in the users group).
Should I make everyone a static uid like
userdb static { args = uid=1500 gid=1500 home=/home/services/mail/%d/%n }
remove unix permissions, chown vuser.vuser for all mail folders and put a dovecot-acl in the folders/namespace I want to protect? Does it have to be that way? I kind of like seeing the login process and who it belongs to... though this is "black" box and no one can log into it.
I guess my example is pretty lame compared to what ACLs are suppose to be able to do in IMAP but I imagine something similar to what samba does for shares like a "users" parameter.
namespace public { separator = . prefix = COMPANY. users = someuser @somegroup location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no }
Thanks,
Jim