On February 2, 2010 10:54:10 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
Oh, right. LDA only looks up userdb.
So when I access these disabled user's maildirs from another user's login, how is imap finding them? Simply by virtue of the acl_shared_dict and mail_location setting? Because moving them to my passwd.deny removes the user from the single userdb, my passwd file. imap still knows them through the passdb (passdb.deny), but not the userdb.
Yep, that seems to be the case. The target (disabled) user need not exist in the userdb at all and dovecot/imap can still find their shared maildir. That's interesting. It seems it could lead to confusion and perhaps this is not desirable? Because what if my userdb overrides the mail_location via proxy or load-balancing hash? imap wouldn't be able to find the correct maildir.
Also at first glance I would think that this means additional security is needed for a distributed (SQL or otherwise) acl_shared_dict but in addition to being in the acl_shared_dict, the dovecot-acl must grant permission to the sharing user, so I think it's ok. (And of course you need good controls on a distributed acl_shared_dict anyway.)
In summary I would suggest that access to shared namespaces need to include a userdb lookup to find the user's mail location, which doesn't seem to be happening now, or at least it seems to be defaulting to the global mail_location setting if the user is not found -- I suggest a failed (not found) userdb lookup should invalidate the shared mailbox.
-frank