On 14/05/2023 20:14 EEST micha--- via dovecot dovecot@dovecot.org wrote:
What is correct way to sync ACLs across two servers?
Example: I want user1 to have access to user2 mailbox. I do this on server1: doveadm acl set shared/user2 user=user1 admin create delete expunge insert lookup read write write-deleted write-see
Now user1 can see shared/user2 when logged to server1. (Looks good!) He still has no access when logged to server2. (Seems correct.) So I do synchronization: doveadm sync -u user2 remote:server2
...and nothing changes. He still have access only when logged to server1. So I force full synchronization: doveadm sync -u -f user2 remote:server2
...and success! User1 has access to shared/user2 on both servers now.
But now I want to remove access. So I do this on server1: doveadm acl delete shared/user2 user=user1
Of course the above affects only server1, so user1 still have access when logged to server2. So now I do synchronization: doveadm sync -u user2 remote:server2
Nothing happens. :-( So I try do do full synchro: doveadm sync -u user2 -f remote:server2
...disaster! The ACL is COPIED BACK from server2 to server1 and effectively restoring access to shared/user2 on on both servers again. (WTH?)
So big question is: Who to do it properly? It would be enough for me if ACL's were copied only one way (server1->server2), but bidirectional replication would of course also be nice. :-)
Configs: namespace { disabled = no hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%%u order = 0 prefix = shared/%%u/ separator = / subscriptions = no type = shared } plugin { acl = vfile:/etc/dovecot/mailconfig/global-acls acl_defaults_from_inbox = yes acl_shared_dict = file:/etc/dovecot/mailconfig/shared/shared-mailboxes }
doveadm sync should sync all your local ACLs just fine. Global ACL you need to sync yourself.
Aki