On Tue, 2006-05-30 at 11:28 +1200, Fintec wrote:
Our implementation of dovecot (v1.0b7) uses many virtual users and domains and 1 actual user (vmail), all using maildir. So far I have successfully created the public namespace (Public_Folders) which every user can access but I'm having difficulty restricting access using ACls.
When trying to implement the dovecot ACL plug-in I followed the wiki instructions and created a "dovecot-acl" file within Public_Folders containing: owner lrwstiekxa user=user1@domain.com lrwstiek
However this doesn't appear to do anything. All users can still access Public_Folders so I have a couple of questions that hopefully someone can help me with...
The problem here is that Dovecot assumes the logged in user owns the mailbox. The ACLs were currently meant mostly to work with master user logins, so the only case when owner doesn't match the logged in user is when a master user logs in as someone else.
How do you define mailbox's owner anyway in cases like this? If the mailbox exists in a public namespace, is anyone its owner? Well I guess I'll try to figure out this when I'm really implementing the proper shared mailbox support for Dovecot..
Anyway, this would work for you:
owner user=real-owner-user lrwstiekxa user=user1@domain.com lrwstiek
Although after I tried it now, I found a bug which causes it to crash with the empty owner list. Or actually that same bug could cause it to break in other ways too, fix here:
http://dovecot.org/list/dovecot-cvs/2006-May/005609.html
- Is it possible to create dovecot-acl files with virtual usernames, i.e. user1@domain.com or does it have to be actual users, i.e. vmail?
They must be virtual usernames.
- Is it possible to restrict access within the namespace definition, i.e. set up another public namespace restricted to manager@domain.com?
This sounds more like user-specific configuration, which is possible with a kludgy imap-wrapper script which sets up proper namespace environment variables before calling imap binary itself.
- Is ACL accepts & denies logged somewhere other than /var/log/maillog (my default)?
They're not logged anywhere currently. Is it really useful? Seems like it'd only fill up the logs. Optionally perhaps..