I would just add to this that simply putting a dovecot-acl file in a shared folder with "user=<username> <permissions>" does work just fine for us (without the complicated setup described below). Our problem is that group-based restrictions don't work at all (i.e. "group=<groupname> <permissions>", as described in the manual).
I'm also trying to figure out what the force-group ACL identifier is supposed to mean.
.... I gotta stop hitting "reply" for this list. I keep accidentally sending messages to the original authors rather than to the mailing list :)
Jim Horner wrote:
In courier-imap, we were able to take advantage of the maildir structure and standard unix users/groups to allow 'decsstaff' members to have full write access while 'decsall' members only have r/o unless also a member of 'decsstaff':
-rw-rw-r-- 1 postlocal decsstaff 37597 May 5 23:37 /egr/mail/shared/decs/.support.In/cur/1178422658.M533373P54269.ice drwxrwxr-x 2 postlocal decsstaff 24576 May 5 23:37 /egr/mail/shared/decs/.support.In/cur drwxrws--- 6 postlocal decsall 4096 Apr 22 18:08 /egr/mail/shared/decs/.support.In drwxrwsr-x 34 postlocal wheel 4096 May 1 07:23 /egr/mail/shared/decs location: maildir:/egr/mail/shared-dovecot2/vprgs:CONTROL=%h/Maildir/dovecot/public/c ontrol/vprgs:INDEX=%h/Maildir/dovecot/public/indexes/vprgs namespace: type: private separator: / prefix: mail/ hidden: yes
plugin: acl: vfile:/usr/local/etc/dovecot-acls
I use shared folders. I posted a while back about my setup. There have been a few changelogs since then concerning ACLs. My setup might be whacked but it still continues to work. The simplest example I have is root mail.
I have mail folders
drwxrwx--- 4 rootmail users /home/services/mail/rootmail/Maildir drwxrwx--- 4 rootmail users ../.RootmailFolder drwxrwx--- 4 rootmail users ../.RootmailFolder.general
To get around ACL plugins downside of being unaware of namespaces I create a "RootmailFolder" underneath Maildir. No one else probably (hopefully) will have a folder named that. If they did then the permissions in the ACL
plug-in directory would override "owner permissions". Were that to happen then you could just put a dovecot-acl file in the user's directory to compensate though this is a fuzzy part... this used to work but I haven't needed to test it so I don't know if it does still.I then created a general folder under that. I have a sieve script which pumps all mail into the general folder. So this is rootmail's "inbox". I did this as a workaround.
<might not be needed nor work anymore>
If you actually want a user 'rootmail' to use an imap client and log into their mailbox then you would create a file
/home/services/mail/rootmail/Maildir/dovecot-acl /home/services/mail/rootmail/Maildir/.RootmailFolder/dovecot-acl /home/services/mail/rootmail/Maildir/.RootmailFolder.general/dovecot-acl
all the files contain:
user=rootmail lrwstie
To use the ACL plug-in files must be create in this directory:
plugin: acl: vfile:/usr/local/etc/dovecot-acls
so I have (using your path) files:
/usr/local/etc/dovecot-acls/RootmailFolder /usr/local/etc/dovecot-acls/RootmailFolder.general
These files contain
user=jhorner lrwstie
My namespace is setup as:
namespace public { separator = . prefix = ROOTMAIL. location = maildir:/home/services/mail/rootmail/Maildir:CONTROL=%h/shared-settings/rootmail/control:INDEX=%h/shared-settings/rootmail/index hidden = no inbox = no }
Everyone can see the namespace but no one but me can access the namespace because RootmailFolder is only accessible by me. Those who do try to access a forbidden folder get a curt techie error. However, most clients do not show the namespace because there aren't any folders underneath the namespace that are accessible so this is not a problem for me.
I also have a COMPANY share setup similarly. However there are many many folders underneath this share and different people can access different folders and I accomplish that using the ACL plug-in similar to above.
I used to use Courier and I was able to duplicate shared folders via the ACL plug-in though the folders are now one level deeper, i.e. ROOTMAIL/RootmailFolders/general as opposed to ROOTMAIL/general (namespace/foldername). Some users did complain. Oh well... most are still breathing.
Jim
This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.