Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
Feb 16 20:12:42 server dovecot: imap-login: Login:
user=test1@example.com, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=900367, secured, session=
Dovecot -n:
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-10-amd64 x86_64 Debian 11.2 ext4
# Hostname: server.example.com
auth_default_realm = EXAMPLE.COM
auth_gssapi_hostname = server.example.com
auth_krb5_keytab = /etc/keytab/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi gss-spnego plain
auth_realms = EXAMPLE.COM
first_valid_gid = 601
first_valid_uid = 601
hostname = server.example.com
imap_client_workarounds = tb-extra-mailbox-sep
imap_max_line_length = 2 M
login_greeting = Dovecot ready.
mail_debug = yes
mail_gid = 986
mail_location =
maildir:/srv/mail/vmail/example.com/%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEX=/srv/mail/vmail/example.com/%n/index:CONTROL=/srv/mail/vmail/example.com/%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%n/volatile
mail_plugins = zlib notify push_notification listescape acl
mail_shared_explicit_inbox = yes
mail_uid = 990
namespace {
hidden = no
list = no
location =
maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile
prefix = shared~%%u~
separator = ~
subscriptions = no
type = shared
}
namespace inbox {
hidden = no
inbox = yes
list = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Inbox {
auto = subscribe
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = ~
subscriptions = yes
type = private
}
passdb {
args = username_format=%u /etc/dovecot/master-users
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/ldap_user_to_principal.conf.ext
driver = ldap
pass = yes
}
passdb {
args = nopassword=y allow_nets=127.0.0.1/32
driver = static
}
passdb {
driver = pam
}
plugin {
acl = vfile
acl_defaults_from_inbox = yes
acl_shared_dict = file:/srv/mail/dovecot/lib/shared-mailboxes.db
acl_user = %u
autocreate = Trash
autocreate2 = Drafts
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Drafts
autosubscribe3 = Sent
listescape_char =
}
postmaster_address = admin@example.com
protocols = " imap lmtp submission"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imap_local {
address = 127.0.0.1
port = 144
ssl = no
}
inet_listener imaps {
port = 993
ssl = yes
}
process_min_avail = 1
}
service indexer-worker {
vsz_limit = 2 G
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service submission-login {
inet_listener submission {
port = 465
ssl = yes
}
}
ssl = required
ssl_cert =
Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
namespace { hidden = no list = no location = maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile prefix = shared~%%u~ separator = ~ subscriptions = no type = shared }
<snip/>
you've marked this as list = no, when it shoukld be list = children. Maybe it'll help.
Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees
Aki
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
namespace { hidden = no list = no location = maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile prefix = shared~%%u~ separator = ~ subscriptions = no type = shared } <snip/>
you've marked this as
list = no, when it shoukld belist = children. Maybe it'll help.Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees
Aki
I have updated the conf with list = children. Unfortunately it did not change anything.
Feb 17 09:01:14 server dovecot:
imap(test1@example.com)<961453>
Somehow it the shared namespace is seen by the client, but no content is shown:
C[0x563e643232a0]: 1 login "test1" "" S[0x563e63660b70]: 1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE ACL RIGHTS=texk] Logged in C[0x563e643232a0]: 2 capability S[0x563e63660b70]: * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE ACL RIGHTS=texk S[0x563e63660b70]: 2 OK Capability completed (0.001 + 0.000 secs). C[0x563e643232a0]: 3 ID ("x-originating-ip" "192.168.10.106") S[0x563e63660b70]: * ID ("name" "Dovecot") S[0x563e63660b70]: 3 OK ID completed (0.001 + 0.001 secs). C[0x563e643232a0]: 4 namespace S[0x563e63660b70]: * NAMESPACE (("" "~")) (("shared~" "~")) NIL S[0x563e63660b70]: 4 OK Namespace completed (0.001 + 0.001 secs). C[0x563e643232a0]: 5 LIST "" "" S[0x563e63660b70]: * LIST (\Noselect) "~" "" S[0x563e63660b70]: 5 OK List completed (0.001 + 0.001 secs).
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
namespace { hidden = no list = no location = maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile prefix = shared~%%u~ separator = ~ subscriptions = no type = shared } <snip/>
you've marked this as
list = no, when it shoukld belist = children. Maybe it'll help.Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees
Aki
I have updated the conf with list = children. Unfortunately it did not change anything.
S[0x563e63660b70]: 2 OK Capability completed (0.001 + 0.000 secs). C[0x563e643232a0]: 3 ID ("x-originating-ip" "192.168.10.106") S[0x563e63660b70]: * ID ("name" "Dovecot") S[0x563e63660b70]: 3 OK ID completed (0.001 + 0.001 secs). C[0x563e643232a0]: 4 namespace S[0x563e63660b70]: * NAMESPACE (("" "~")) (("shared~" "~")) NIL S[0x563e63660b70]: 4 OK Namespace completed (0.001 + 0.001 secs). C[0x563e643232a0]: 5 LIST "" "" S[0x563e63660b70]: * LIST (\Noselect) "~" "" S[0x563e63660b70]: 5 OK List completed (0.001 + 0.001 secs).
Can you try
1 LIST "shared~" "*"
The LIST "" "" is only about getting the hierarchy separator.
Aki
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
namespace { hidden = no list = no location = maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile prefix = shared~%%u~ separator = ~ subscriptions = no type = shared } <snip/>
you've marked this as
list = no, when it shoukld belist = children. Maybe it'll help.Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees Aki I have updated the conf with list = children. Unfortunately it did not change anything.
S[0x563e63660b70]: 2 OK Capability completed (0.001 + 0.000 secs). C[0x563e643232a0]: 3 ID ("x-originating-ip" "192.168.10.106") S[0x563e63660b70]: * ID ("name" "Dovecot") S[0x563e63660b70]: 3 OK ID completed (0.001 + 0.001 secs). C[0x563e643232a0]: 4 namespace S[0x563e63660b70]: * NAMESPACE (("" "~")) (("shared~" "~")) NIL S[0x563e63660b70]: 4 OK Namespace completed (0.001 + 0.001 secs). C[0x563e643232a0]: 5 LIST "" "" S[0x563e63660b70]: * LIST (\Noselect) "~" "" S[0x563e63660b70]: 5 OK List completed (0.001 + 0.001 secs). Can you try
1 LIST "shared~" "*"
The LIST "" "" is only about getting the hierarchy separator.
Aki
telnet localhost 144 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=PLAIN] Dovecot ready. a login "test1" "****" a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE ACL RIGHTS=texk] Logged in 1 LIST "shared~" "*" 1 OK List completed (0.001 + 0.000 secs).
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
namespace { hidden = no list = no location = maildir:/srv/mail/vmail/example.com/%%n/store:LAYOUT=fs:FULLDIRNAME=0_FolderContent:UTF-8:INDEXPVT=/srv/mail/vmail/example.com/%n/index_shared/%%u:CONTROL=/srv/mail/vmail/example.com/%%n/control:VOLATILEDIR=/srv/mail/vmail/example.com/%%n/volatile prefix = shared~%%u~ separator = ~ subscriptions = no type = shared } <snip/>
you've marked this as
list = no, when it shoukld belist = children. Maybe it'll help.Is there anything obviously wrong in the config?
I suspect a mismatch between %u and %n somewhere but don't know how to figure out the culprit.
How can I get more relevant debug log output about namespaces / mailbox sharing? Or can I run commands to check validity?
- Kees Aki I have updated the conf with list = children. Unfortunately it did not change anything.
S[0x563e63660b70]: 2 OK Capability completed (0.001 + 0.000 secs). C[0x563e643232a0]: 3 ID ("x-originating-ip" "192.168.10.106") S[0x563e63660b70]: * ID ("name" "Dovecot") S[0x563e63660b70]: 3 OK ID completed (0.001 + 0.001 secs). C[0x563e643232a0]: 4 namespace S[0x563e63660b70]: * NAMESPACE (("" "~")) (("shared~" "~")) NIL S[0x563e63660b70]: 4 OK Namespace completed (0.001 + 0.001 secs). C[0x563e643232a0]: 5 LIST "" "" S[0x563e63660b70]: * LIST (\Noselect) "~" "" S[0x563e63660b70]: 5 OK List completed (0.001 + 0.001 secs). Can you try
1 LIST "shared~" "*"
The LIST "" "" is only about getting the hierarchy separator.
Aki
telnet localhost 144 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=PLAIN] Dovecot ready. a login "test1" "****" a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE ACL RIGHTS=texk] Logged in 1 LIST "shared~" "*" 1 OK List completed (0.001 + 0.000 secs).
Now with the server-side logging:
Feb 17 09:34:03 server dovecot:
imap(test1@example.com)<962722>
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip />
I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2@example.com 1
Log output:
<snip /> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (test2@example.com)?
Or is the better approach to login with %n (and would that work with gssapi login)?
On 17/02/2022 11:16 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
> On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote: > > Hi Team, > > > I am trying to setup mailbox sharing. But although user test2 shares > INBOX with test1, it is not visible for user1. > > doveadm acl get -u test2 INBOX > ID Global Rights > user=test1 admin create delete expunge insert lookup post read > write write-deleted write-seen > > cat /srv/mail/dovecot/lib/shared-mailboxes.db > shared/shared-boxes/user/test1/test2@example.com > 1 > > Log output: > <snip /> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (test2@example.com)?
Or is the better approach to login with %n (and would that work with gssapi login)?
Why not use auth_username_format=%Ln then?
Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
etc.
Aki
On 17-02-2022 10:17, Aki Tuomi wrote:
On 17/02/2022 11:16 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote: >> On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote: >> >> Hi Team, >> >> >> I am trying to setup mailbox sharing. But although user test2 shares >> INBOX with test1, it is not visible for user1. >> >> doveadm acl get -u test2 INBOX >> ID Global Rights >> user=test1 admin create delete expunge insert lookup post read >> write write-deleted write-seen >> >> cat /srv/mail/dovecot/lib/shared-mailboxes.db >> shared/shared-boxes/user/test1/test2@example.com >> 1 >> >> Log output: >> > <snip /> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (test2@example.com)?
Or is the better approach to login with %n (and would that work with gssapi login)? Why not use auth_username_format=%Ln then?
Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
etc.
Aki It is a little more complex.
There is a single SambaDC domain: "example.com" against which users login (often with a krb5-ticket).
passdb { driver = ldap args = /etc/dovecot/ldap_user_to_principal.conf.ext pass = yes } passdb { # If no Kerberos ticket was passed, use pam to verify user/password` driver = pam }
# /etc/dovecot/ldap_user_to_principal.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
pass_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs =
=user=%u,
=nopassword=Y,
=k5principals=%{ldap:userPrincipalName}
But mail arrives for multiple DNS domains: example.com, mydomain.com, otherdomain.com
Users can receive all mails for in their example.com mailbox (must be this because krb5 will only use this domain). An LDAP query is done to change the target domain:
userdb { # Rewrite domain for users (but not for functional mailboxes) driver = ldap args = /etc/dovecot/ldap_user_domain.conf.ext result_success = continue result_failure = continue }
# /etc/dovecot/ldap_user_domain.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
user_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
user_attrs =
=domain=example.com
Then there are functional mailboxes, like sales@mydomain.com, sales@otherdomain.com. These are not mapped to the Samba domain because sales@mydomain.com is not handled by the same user as sales@otherdomain.com. As they remain separate ACLs can be set to share it with the desired user.
And to add to complexity users can share there own mailbox to someone else from the mail-client (and that is always within the SambaDC domain example.com)
Is what I am doing here the right approach? Do you still recommend to switch "auth_username_format = %Lu" to %Ln?
On 17-02-2022 10:17, Aki Tuomi wrote:
On 17/02/2022 11:16 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote: >> On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote: >> >> Hi Team, >> >> >> I am trying to setup mailbox sharing. But although user test2 shares >> INBOX with test1, it is not visible for user1. >> >> doveadm acl get -u test2 INBOX >> ID Global Rights >> user=test1 admin create delete expunge insert lookup post read >> write write-deleted write-seen >> >> cat /srv/mail/dovecot/lib/shared-mailboxes.db >> shared/shared-boxes/user/test1/test2@example.com >> 1 >> >> Log output: >> > <snip /> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (test2@example.com)?
Or is the better approach to login with %n (and would that work with gssapi login)? Why not use auth_username_format=%Ln then?
Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
etc.
Aki
Solved !! But a bit different then the above suggestion. There was a discrepancy between users logged in with a krb5-ticket and users without.
passdb { args = /etc/dovecot/ldap_user_to_principal.conf.ext driver = ldap pass = yes } passdb { driver = pam }
The issue was in ldap_user_to_principal.conf.ext, it contained:
pass_attrs =
=user=%u,
=nopassword=Y,
=k5principals=%{ldap:userPrincipalName}
I changed user to %n and now it is handled the same as handling through pam for users without ticket.
Now the ACLs look alright:
cat /srv/mail/dovecot/lib/shared-mailboxes.db shared/shared-boxes/user/test1/test2 1
doveadm acl get -u test2 INBOX ID Global Rights user=test1 admin create delete expunge insert lookup post read write write-deleted write-seen
And even better, the 'test2' mailbox shows up in the mail-client of 'test1'.
Thank for your help, Aki. It did help to point me in the right direction !
- Kees
participants (2)
-
Aki Tuomi
-
Kees van Vloten