I have re-tested with beta9 from src but unfortunately the results are fairly similar. The Public namespace (Shared Public Folders) work great until I try and and control access with the ACL plugin.
Problems are:
- dovecot-acl file within public namespace directory isn't found
- global ACLs (vfile) partially work with virtual users but when used: a) non-ACL restricted public namespace directories stop working b) permitted users are unable to view or create sub-folders
I think all the above problems can be attributed to the fact the ACL plugin ignores the namespace prefix. I did further testing with the vfile using some suggestions from the list:
VFILE TESTING: ("vmail" is the local user)
owner lrwstiekxa user=vmail lrwstiekxa user=virtualuser1@domain.com lrwstiek
Dovecot Log: child 8872 (imap) killed with signal 11
owner user=vmail lrwstiekxa user=virtualuser1@domain.com lrwstiek
Dovecot Log: child 8872 (imap) killed with signal 11
user=vmail lrwstiekxa user=virtualuser1@domain.com lrwstiek
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not accessible
user=virtualuser1@domain.com lrwstiek
Problems 2 (a) and (b) still exist. Sub-folder *is* created but not accessible
Ideally I would like to use per-mailbox ACLs (dovecot-acl files) so I could easily be selective on what directories were access controlled, does anyone have a fix for this?
I have a couple of clients requiring access controlled Public Shared Folders so sponsoring the fix/development is not out of the question.
Regards, Gavin
On Thu, 2006-06-01 at 10:40 +1200, Fintec wrote:
Thanks for the reply Timo.
I think one of my main problems is that: "Namespace prefixes are currently ignored". My public namespace is defined as:
---------- snip ---------- namespace public { separator = . prefix = Public_Folders. location = maildir:/home/vmail/domains/% d/Public_Folders:CONTROL=/home/vmail/domains/%d/% n/Public_Folders/support:INDEX=/home/vmail/domains/%d/% n/Public_Folders/index hidden = no } ---------- snip ----------
This means when I try and add a dovecot-acl file into one of my Public_Folders (in the public name space) it isn't seen at all. I switched to using a vfile global acl which is at least seen but I'm getting mixed results. To test I created /etc/dovecot-acls/Management: user=user1@domain.com lrwsiea user=user2@domain.com lrwsie
If I add any more of the ACLs, for example k dovecot reports: dovecot: IMAP(user1@domain.com): ACL file /etc/dovecot-acls/Management line 1: Unknown ACL 'k'
This means I have been able to restrict access to the Management folder but because I cannot add k to the ACL list I'm unable to create folders within this. Also, when using the vfile global ACL file /etc/dovecot-acls/Management none of the other Public_Folder sub directories are available at all!
In summary:
- dovecot-acl file within public namespace directory isn't found because ACL ignores namespace prefix
- global ACLs partialy work with virtual users but currently not able to do more than lrwsiea
- global ACLs stop other non-ACL restricted public namespace directories working (in my configuration)
Any help with this would be greatly appreciated!
Gavin
On Tue, 2006-05-30 at 14:59 +0300, Timo Sirainen wrote:
On Tue, 2006-05-30 at 11:28 +1200, Fintec wrote:
Our implementation of dovecot (v1.0b7) uses many virtual users and domains and 1 actual user (vmail), all using maildir. So far I have successfully created the public namespace (Public_Folders) which every user can access but I'm having difficulty restricting access using ACls.
When trying to implement the dovecot ACL plug-in I followed the wiki instructions and created a "dovecot-acl" file within Public_Folders containing: owner lrwstiekxa user=user1@domain.com lrwstiek
However this doesn't appear to do anything. All users can still access Public_Folders so I have a couple of questions that hopefully someone can help me with...
The problem here is that Dovecot assumes the logged in user owns the mailbox. The ACLs were currently meant mostly to work with master user logins, so the only case when owner doesn't match the logged in user is when a master user logs in as someone else.
How do you define mailbox's owner anyway in cases like this? If the mailbox exists in a public namespace, is anyone its owner? Well I guess I'll try to figure out this when I'm really implementing the proper shared mailbox support for Dovecot..
Anyway, this would work for you:
owner user=real-owner-user lrwstiekxa user=user1@domain.com lrwstiek
Although after I tried it now, I found a bug which causes it to crash with the empty owner list. Or actually that same bug could cause it to break in other ways too, fix here:
http://dovecot.org/list/dovecot-cvs/2006-May/005609.html
- Is it possible to create dovecot-acl files with virtual usernames, i.e. user1@domain.com or does it have to be actual users, i.e. vmail?
They must be virtual usernames.
- Is it possible to restrict access within the namespace definition, i.e. set up another public namespace restricted to manager@domain.com?
This sounds more like user-specific configuration, which is possible with a kludgy imap-wrapper script which sets up proper namespace environment variables before calling imap binary itself.
- Is ACL accepts & denies logged somewhere other than /var/log/maillog (my default)?
They're not logged anywhere currently. Is it really useful? Seems like it'd only fill up the logs. Optionally perhaps..