Hi,
I use pam_ldap.so to use LDAP to authenticate my users. I don't use
virtual accounts, but every account is a unix account.
I use a post login script to export the ACL_GROUPS
variable to hold
all unix groups the user belongs to.
Each group corresponds to a shared mailbox, where UNIX group permission
handle which user gets access to the mailbox.
Recently I added acl files to the shared mailboxes that look like:
group=some_group kxeilprwts
The Permissions of the user Mailboxes are generally 0700 and 0770 for
shared mailboxes.
The namespace of the shared Mailboxes looks something like:
type=shared, prefix=Shared/%%u/ location= maildir:/somewhere/'%%d/%%n/Maildir:INDEX=/srv/mails/%d/%n/Maildir/shared/%%u
Everything works fine, except my log gets flooded with messages saying:
open(/path/to/shared/mailbox) failed: Permission denied
and
opendir(/path/to/shared) failed: Permission denied, missing +x perm, we're not in group
. The user should also not be in the group.
This is also reproducible when I do doveadm mailbox list -u some_unix_user
, where dovecot tries to list all of the mailboxes, even
though the user does not have permissions to do so.
Referenced here:
https://doc.dovecot.org/main/core/config/shared_mailboxes.html it says
"Dovecot assumes that it can access the other users' mailboxes".
So should I just ignore the messages/write a syslog filter for them?
How can I prevent dovecot from checking every shared mailbox, even
though they don't have access to it?