I tested with release 2.3.5, and
doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.
Aki
On 7 March 2019 19:47 Aki Tuomi via dovecot dovecot@dovecot.org wrote:
Sorry, we have not yet been able to look into this..
It's now in our internal system as DOP-966
Aki
On 7 March 2019 17:31 Michal Hlavinka via dovecot dovecot@dovecot.org wrote:
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.