I can't configure shared mailbox ACLs using LDAP information

It shouldn't be impossible, but I've tried countless ways and not even ChatGPT 4o was able to help me! :D

I use three LDIF files to get OpenLDAP ready for testing. In the first LDIF I just modify the schema to add the associatedDomain attributes (then I could configure the server to serve more than one domain). The second LDIF is to add 4 objects to the schema that I use to differentiate accounts that actually receive/send emails and have a password; another thing done in it is to add a "groupOfUniqueNamesWithMail" object that allows the "mail" and "mailEnabled" attributes that are then necessary to use in the entries created in the "shared-mailboxes" OU. Finally, the third LDIF populates the LDAP by creating OUs, user accounts and creating entries in "shared-mailboxes" that serve to say which user accounts have access to which other user accounts.

When I start the email server, sending and receiving emails works perfectly.

And mailbox shares work as expected if I manually use, for each share, the command:

doveadm acl set -u admin@mydomain.com.br INBOX user=user.1@mydomain.com.br lookup read write write-seen write-deleted insert post expunge create delete

But just as authentication works perfectly via LDAP, I believe there must be a way to configure Dovecot to dynamically adjust ACLs via LDAP.

The configuration in principle would be this:

acl_search_base = ou=shared-mailboxes,dc=mydomain,dc=com,dc=br

acl_search_filter = (&(objectClass=groupOfUniqueNamesWithMail)(|(uniqueMember=mail=%u,ou=system-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=department-accounts ,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=mailing-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=person -accounts,dc=mydomain,dc=com,dc=br)))

acl_user = %u

Testing this filter on the command line with "ldapsearch" the expected results are returned. I mean, I enter an email address from a user account and the result is all the other user account email addresses that the first one would have access to.

Any charitable soul who is willing to help and needs more information, just say what you need and I will try to respond as quickly as possible.

I will place the content of the three LDIFs below.

[ 01-modify_domain.ldif ]

dn: dc=mydomain,dc=com,dc=br changetype: modify add: objectClass objectClass: domainRelatedObject

add: associatedDomain associatedDomain: mydomain.com.br

add: associatedDomain associatedDomain: anotherdomain.com.br

[ 02-add_my_object_classes_to_schema.ldif ]

# Object class for system user accounts dn: cn=SystemAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: SystemAccount olcObjectClasses: ( 1.3.6.1.4.1.99999.1.1 NAME 'SystemAccount' DESC 'Object class for system accounts' SUP top AUXILIARY )

# Object class for department user accounts dn: cn=DepartmentAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: DepartmentAccount olcObjectClasses: ( 1.3.6.1.4.1.99999.1.2 NAME 'DepartmentAccount' DESC 'Object class for department accounts' SUP top AUXILIARY )

# Object class for mailing user accounts dn: cn=MailingAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: MailingAccount olcObjectClasses: ( 1.3.6.1.4.1.99999.1.3 NAME 'MailingAccount' DESC 'Object class for mailing accounts' SUP top AUXILIARY )

# Object class for person user accounts dn: cn=PersonAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: PersonAccount olcObjectClasses: ( 1.3.6.1.4.1.99999.1.4 NAME 'PersonAccount' DESC 'Object class for person accounts' SUP top AUXILIARY )

# Object class that allows groupOfUniqueNames to have a mail attribute dn: cn=groupOfUniqueNamesWithMail,cn=schema,cn=config objectClass: olcSchemaConfig cn: groupOfUniqueNamesWithMail olcObjectClasses: ( 1.3.6.1.4.1.99999.1.5 NAME 'groupOfUniqueNamesWithMail' SUP groupOfUniqueNames STRUCTURAL MAY ( mail $ mailEnabled ) )

[ 03-initialize_mydomain.com.br.ldif ]

### Create organizaitonal units

dn: ou=system-accounts,dc=mydomain,dc=com,dc=br ou: system-accounts objectClass: organizaitonalUnit objectClass: top

dn: ou=department-accounts,dc=mydomain,dc=com,dc=br ou: department-accounts objectClass: organizaitonalUnit objectClass: top

dn: ou=mailing-accounts,dc=mydomain,dc=com,dc=br ou: mailing-accounts objectClass: organizaitonalUnit objectClass: top

dn: ou=person-accounts,dc=mydomain,dc=com,dc=br ou: person-accounts objectClass: organizaitonalUnit objectClass: top

dn: ou=shared-mailboxes,dc=mydomain,dc=com,dc=br ou: shared-mailboxes objectClass: organizaitonalUnit objectClass: top

################################################################################

## Create System User Accounts # not related to a person # can be accessed directly or indirectly by more than one person

dn: mail=admin@mydomain.com.br,ou=system-accounts,dc=mydomain,dc=com,dc=br uid: admin userPassword: {SSHA} displayName: My Domain - Admin givenName: System sn: Admin cn: System Admin mail: admin@mydomain.com.br mailAlias: root@mydomain.com.br mailAlias: postmaster@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/system-accounts/admin/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/system-accounts/admin/ descripiton: My Domain - Admin (root/postmaster) objectClass: PostfixBookMailAccount objectClass: SystemAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=smtp@mydomain.com.br,ou=system-accounts,dc=mydomain,dc=com,dc=br uid: smtp userPassword: {SSHA} displayName: My Domain - SMTP givenName: System sn: SMTP cn: System SMTP mail: smtp@mydomain.com.br mailAlias: no-reply@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/system-accounts/smtp/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/system-accounts/smtp/ descripiton: My Domain - System SMTP objectClass: PostfixBookMailAccount objectClass: SystemAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=smtp-auditor@mydomain.com.br,ou=system-accounts,dc=mydomain,dc=com,dc=br uid: smtp-auditor userPassword: {SSHA} displayName: My Domain - SMTP Auditor givenName: System sn: SMTP Auditor cn: System SMTP Auditor mail: smtp-auditor@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/system-accounts/smtp-auditor/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/system-accounts/smtp-auditor/ descripiton: My Domain - System SMTP Auditor objectClass: PostfixBookMailAccount objectClass: SystemAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

################################################################################

## Create Department User Accounts # not related to a person # can be accessed directly or indirectly by more than one person

dn: mail=it@mydomain.com.br,ou=department-accounts,dc=mydomain,dc=com,dc=br uid: it userPassword: {SSHA} displayName: My Domain - Information Technology givenName: My Domain sn: IT cn: My Domain - IT mail: it@mydomain.com.br mailAlias: information.technology@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/department-accounts/it/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/department-accounts/it/ descripiton: My Domain - Information Technology (IT) objectClass: PostfixBookMailAccount objectClass: DepartmentAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

################################################################################

## Create Mailing User Accounts # not related to a person # can be accessed directly or indirectly by more than one person

dn: mail=everyone@mydomain.com.br,ou=mailing-accounts,dc=mydomain,dc=com,dc=br uid: everyone userPassword: {SSHA} displayName: My Domain - Everyone givenName: My Domain sn: everyone cn: My Domain - Everyone mail: everyone@mydomain.com.br mailAlias: everyone@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/mailing-accounts/everyone/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/mailing-accounts/everyone/ descripiton: My Domain - Everyone mailing list objectClass: PostfixBookMailAccount objectClass: MailingAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=mailing.list.1@mydomain.com.br,ou=mailing-accounts,dc=mydomain,dc=com,dc=br uid: mailing.list.1 userPassword: {SSHA} displayName: My Domain - Mailing List 1 givenName: My Domain sn: Mailing List 1 cn: My Domain - Mailing List 1 mail: mailing.list.1@mydomain.com.br mailAlias: ml.1@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/mailing-accounts/mailing.list.1/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/mailing-accounts/mailing.list.1/ descripiton: My Domain - Mailing List 1 objectClass: PostfixBookMailAccount objectClass: MailingAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=mailing.list.2@mydomain.com.br,ou=mailing-accounts,dc=mydomain,dc=com,dc=br uid: mailing.list.2 userPassword: {SSHA} displayName: My Domain - Mailing List 2 givenName: My Domain sn: Mailing List 2 cn: My Domain - Mailing List 2 mail: mailing.list.2@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/mailing-accounts/mailing.list.2/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/mailing-accounts/mailing.list.2/ descripiton: My Domain - Mailing List 2 objectClass: PostfixBookMailAccount objectClass: MailingAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

################################################################################

## Create Person User Accounts

dn: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uid: user.1 userPassword: {SSHA} displayName: User 1 givenName: User sn: 1 cn: User 1 mail: user.1@mydomain.com.br mailAlias: user.one@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/person-accounts/user.1/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/person-accounts/user.1/ descripiton: My Domain - User 1 objectClass: PostfixBookMailAccount objectClass: PersonAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=user.2@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uid: user.2 userPassword: {SSHA} displayName: User 2 givenName: User sn: 2 cn: User 2 mail: user.2@mydomain.com.br mailAlias: user.two@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/person-accounts/user.2/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/person-accounts/user.2/ descripiton: My Domain - User 2 objectClass: PostfixBookMailAccount objectClass: PersonAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

dn: mail=user.3@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uid: user.3 userPassword: {SSHA} displayName: User 3 givenName: User sn: 3 cn: User 3 mail: user.3@mydomain.com.br mailAlias: user.three@mydomain.com.br mailEnabled: TRUE mailUidNumber: 5000 mailGidNumber: 5000 mailHomeDirectory: /var/mail/mydomain.com.br/person-accounts/user.3/ mailStorageDirectory: maildir:/var/mail/mydomain.com.br/person-accounts/user.3/ descripiton: My Domain - User 3 objectClass: PostfixBookMailAccount objectClass: PersonAccount objectClass: inetOrgPerson objectClass: organizaitonalPerson objectClass: person objectClass: top

################################################################################

## for Shared System User Accounts

dn: cn=admin@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: admin@mydomain.com.br mailEnabled: TRUE uniqueMember: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top

## for Shared Department User Accounts

dn: cn=it@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: it@mydomain.com.br mailEnabled: TRUE uniqueMember: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top

## for Shared Mailing User Accounts

dn: cn=everyone@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: everyone@mydomain.com.br mailEnabled: TRUE uniqueMember: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uniqueMember: mail=user.2@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uniqueMember: mail=user.3@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top

dn: cn=mailing.list.1@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: mailing.list.1@mydomain.com.br mailEnabled: TRUE uniqueMember: mail=user.2@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br uniqueMember: mail=user.3@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top

dn: cn=mailing.list.2@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: mailing.list.2@mydomain.com.br mailEnabled: TRUE uniqueMember: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top

## for Shared User Accounts

dn: cn=user.2@mydomain.com.br,ou=shared-mailboxes,dc=mydomain,dc=com,dc=br mail: user.2@mydomain.com.br mailEnabled: FALSE uniqueMember: mail=user.1@mydomain.com.br,ou=person-accounts,dc=mydomain,dc=com,dc=br objectClass: groupOfUniqueNames objectClass: groupOfUniqueNamesWithMail objectClass: top