Hi,
On Wed, 25 Oct 2017, Heiko Schlittermann wrote:
given a small organization. There are *personal* mailboxes (mailbox per user, incl. subfolders et cetera). The users can share specic folders via the ACL (we call it "other users/", Dovecot calls it "shared" folder. Additionally there are mailboxes Dovecot calls "public" (we use the term "groups/"). They are not associated with a specific account, but acessible via ACL only. (Good example for the latter is "info@example.com")
But now they're seeking for a way to implement "role" Accounts.
We could create new "role" users, share the password and create an additional account within the mail client (thunderbird) they use. From users perspective it is exactly what they want. But I dislike the idea of sharing the password.
Question: Is there any way to split the authentication from the authorization within common mail clients (as Thunderbird) in combination with Dovecot. That is, doing something like logging in to the account sales@example.com, using the credentials of the very own account (say hans@example.com)?
We faced the same problem and solved it with a PAM module:
https://gitlab.kfki.hu/kadlec/pam-groupuser
Any kind of MUA are supported with whatever background authentication you have. Here follows the README:
This tiny PAM module makes possible to authenticate to group user accounts, where
- the group user has got an own group with the same name as its username
- the group members are real users, who want to access the resources (email, files) of the group user
The pam_groupuser.so module must be referred two times in the PAM configuration for the given service/resources, i.e.
auth required pam_groupuser.so <all normal auth modules> auth required pam_groupuser.so second-pass
The users must use the username "groupusername*realusername" and the password belonging to "realusername". The first call to pam_groupusers.so sets the username for PAM to "realusername", so the authentication modules will use the real username for authentication. The second call to pam_groupusers.so sets the username for PAM to "groupusername", so the account and session environment is set up according to groupusername.
The applications which supports this kind of setups:
- dovecot POP/IMAP server
- vsfptd FTP server
Addendum: for dovecot, add "*" to the allowed username chars to auth_username_chars in /etc/dovecot/conf.d/10-auth.conf.
Best regards, Jozsef
E-mail : kadlecsik.jozsef@wigner.mta.hu PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary