Wow, hard to believe.
I thought it was just a lack of skill on my part in finding/making the correct configuration.
But what do large email servers that use Dovecot do?
I thought it was an orchestration between OpenLDAP, Postfix and Dovecot because theoretically LDAP is the best place to store users, groups, passwords and permissions.
Anyway, below is the bash script that I used to do a minimal automation of ACLs.
[ apply_ACLs_for_shared_mailboxes.sh ]
#!/bin/bash
# LDAP base DN BASE_DN="dc=mydomain,dc=com,dc=br"
# LDAP search filter for enabled shared mailboxes LDAP_FILTER="(&(objectClass=groupOfUniqueNamesWithMail)(mailEnabled=TRUE))"
# LDAP server details LDAP_SERVER="ldap://ldap" LDAP_BIND_DN="cn=admin,dc=mydomain,dc=com,dc=br" LDAP_PASSWORD="Secret-pwd"
# temporary file to store the results of the LDAP search TEMP_FILE="/tmp/shared_mailboxes.ldif"
# perform LDAP search to get shared mailboxes and their members ldapsearch -x -H $LDAP_SERVER -D $LDAP_BIND_DN -w $LDAP_PASSWORD -b "ou=shared-mailboxes,$BASE_DN" "$LDAP_FILTER" mail uniqueMember > $TEMP_FILE
# read the LDIF file and generate the doveadm acl commands while IFS= read -r line; do if [[ $line =~ ^mail: ]]; then SHARED_MAILBOX=$(echo $line | awk '{print $2}') fi if [[ $line =~ ^uniqueMember: ]]; then USER=$(echo $line | awk '{print $2}' | cut -d ',' -f 1 | cut -d '=' -f 2) # generate the doveadm acl command for INBOX COMMAND_INBOX="doveadm acl set -u $SHARED_MAILBOX INBOX user=$USER lookup read write write-seen write-deleted insert post expunge create delete" echo $COMMAND_INBOX # execute the command for INBOX eval $COMMAND_INBOX # generate the doveadm acl command for Sent folder COMMAND_SENT="doveadm acl set -u $SHARED_MAILBOX INBOX/Sent user=$USER lookup read write write-seen write-deleted insert post expunge create delete" echo $COMMAND_SENT # execute the command for Sent folder eval $COMMAND_SENT fi done < $TEMP_FILE
# clean up temporary file rm $TEMP_FILE
I would like to take this opportunity to ask two things:
a) what would be the most appropriate permissions so that users with access to shared mailboxes can only read emails (delete, only users "owners of shared boxes")
b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with permission to access shared mailboxes can send mail using the shared mailbox address; however, the mail is in the Sent folder of the user who sent it and not in the Sent folder of the shared mailbox (where I would like it to be); The idea is that if three people have access to a shared mailbox, the first one to read and respond to an email will leave it saved in the Sent folder of the shared mailbox so that the other two can see that the email has already been responded to