Timo Sirainen <tss@iki.fi> wrote:
On 23.11.2012, at 13.27, Alessio Cecchi wrote:
Il 23/11/2012 08:07, Timo Sirainen ha scritto:
BTW. Do you have multiple Dovecot backend servers? Director works only when you're not using shared mailboxes..
I'm not happy to hear that, so if today we are running one dovecot server with shared mailbox enabled and tomorrow we will switch to a more complex installation with Director we will be unable to still provide shared mailbox to our customers?
You can't reliably do it if the mailboxes are accessed directly via NFS. The current idea to solve this is to use imapc backend with master users, so the actual mailbox access for each user is always done by only one server. I think someone already managed to configure such a setup.
This was me.
It works (with one minor quirk, more on this later) in my current test setup like so:
a) 1 to X user-servers with the users mailboxes on them b) 1 shared-server with the shared mailboxes on them
On the user-servers I have namespace like this:
namespace { list = yes location = imapc:~/imapc-shared prefix = IMAPShared/ separator = / subscriptions = no type = public }
and a userdb like this:
userdb { args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = uid=virtmail gid=virtmail home=/srv/mail/%2MLn/%Ln/ imapc_password=%w quota_rule2=Trash:ignore driver = ldap }
Note the "imapc_password=%w" in the default_fields. This is needed to pass the users login-password to the shared-server.
The imapc proxy code is configured like this:
imapc_host = m-st-sh-01.example.com imapc_master_user = %u imapc_user = shared
This uses the original user as the master-user and a fixed user with the original users password to login into the shared-server.
Note: You CANNOT have ACLs activated on the users-servers, because this will interfere with the permissions of ht IMAPShared namespace, rendering the mailboxes located in there unavailable for your users.
The shared-storage then uses a static passdb for the user "shared":
passdb { args = user=shared password=complicatedpasswordhere driver = static }
and a static userdb for the virtual-user:
userdb { args = uid=virtmail gid=virtmail home=/srv/mail/%Ln driver = static }
and additional a passdb for the "master" users:
passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap master = yes pass = yes }
which are pulled from LDAP, just like on the user-servers.
Now the mentioned quirk: Because all connections on the shared-server are made to the same user "shared" and are coming from very few IPs (the 1 to X user-servers), you need to set a very high mail_max_userip_connections value.
I set mine to 1000 just to be sure.
---> But: I have NOT configured login_trusted_networks, so this may be my error in that case.
And, a second quirk: You can only offer admin-provided shared folders, your users CANNOT share folders themselves, because there is quite some manual work involved in creating and setting them up on the central shared-server.
For example: To provide a Mailbox with the Name "Test.3" in IMAPShared I need the following directory structure on m-st-sh-01.example.com:
/srv/mail/shared/mdbox/mailboxes/Test.3/
In .../Test.3/ there is the dbox-Mails folder with the indexes and other meta information. The admin needs to create the dovecot-acl file to configure the access permissions:
root@m-st-sh-01:/srv/mail/shared/mdbox/mailboxes/Test.3/dbox-Mails# cat dovecot-acl user=gbgr14 lrwstipek user=bbgr99 lrwstipek
The users are then able to see those folders as IMAPShared/Test.3/, subscriptions are managed inside the users own subscription file on their respective "home" server, while flages and tags are shared.
Grüße, Sven.
-- Sigmentation fault. Core dumped.