Different behavior of ACLs in MUA and doveadm
I have noticed a difference in the behavior of ACLs. When used in a MUA the following global ACL works fine and has the desired effect - new mailboxes can be created by a user being part of the 'PublicMailboxAdmins' group:
[ global-acl: ] INBOX owner lrwstiekxap Public/* group=PublicMailboxAdmins lrwsipk Public/* anyone lr Public/* authenticated lrws
Creating the same mailbox via doveadm however fails with a permission problem:
doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Newsletters/heise-security/2014: Permission denied
Interestingly, doveadm succeeds when dovecot-acl is present in the namespace root - which of course is not desirable in the light of the global ACL:
[ dovecot-acl: ] group=PublicMailboxAdmins lrwsipk
doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: reading file /var/vmail/public/mailboxes/dovecot-acl doveadm(tlx@leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014 doesn't exist yet, using default permissions doveadm(tlx@leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found
# 2.2.15 (6078354e6238): /etc/dovecot/dovecot.conf
I know there have been some changes in Mercurial as to how global ACLs are interpreted. Is doveadm probably behind on them?
Regards Thomas
- Thomas Leuxner <tlx@leuxner.net> 2014.12.31 22:10:
namespace { list = yes location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public prefix = Public/ separator = / subscriptions = no type = public }
$ cat /var/vmail/conf.d/leuxner.net/global-acl INBOX owner lrwstiekxap Public/* group=PublicMailboxAdmins lrwsipk Public/* anyone lr Public/* authenticated lrws
$ doveadm mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied
$ doveadm acl get -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot doveadm(tlx@leuxner.net): Error: Can't open mailbox Public/Archive/Mailing-Lists/Dovecot: Mailbox doesn't exist: Public/Archive/Mailing-Lists/Dovecot ID Global Rights
I retested this issue after all the HG commits. Doveadm still treats the namespace/ACL differently compared to a MUA. While doveadm refuses to create the mailbox, the MUA succeeds. However I'd like to do all this scripted using doveadm ideally...
$ openssl s_client -connect host.domain.tld:143 -starttls imap
. OK Pre-login capabilities listed, post-login capabilities have more. 1 login tlx@leuxner.net <redacted>
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE NOTIFY SPECIAL-USE QUOTA ACL RIGHTS=texk 1 OK Logged in 2 list "Public/Archive" * [...]
- LIST (\Noselect \HasChildren) "/" Public/Archive/Mailing-Lists/Dovecot
- LIST (\HasNoChildren \UnMarked) "/" Public/Archive/Mailing-Lists/Dovecot/2014
- LIST (\HasNoChildren \UnMarked) "/" Public/Archive/Mailing-Lists/Dovecot/2013
- LIST (\HasNoChildren \UnMarked) "/" Public/Archive/Mailing-Lists/Dovecot/2012 [...] 2 OK List completed (0.016 secs). 3 create "Public/Archive/Mailing-Lists/Dovecot/2015" 3 OK Create completed (0.006 secs). 4 list "Public/Archive" * [...]
- LIST (\HasNoChildren) "/" Public/Archive/Mailing-Lists/Dovecot/2015
On 31 Dec 2014, at 23:10, Thomas Leuxner <tlx@leuxner.net> wrote:
I have noticed a difference in the behavior of ACLs. When used in a MUA the following global ACL works fine and has the desired effect - new mailboxes can be created by a user being part of the 'PublicMailboxAdmins' group:
How does the PublicMailboxAdmins group get set? Looks to me like the problem is that it's not getting set to doveadm. Here's an easy way to check if that's the problem or something else: http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389
If that doesn't help: Show your full doveconf -n, set auth_debug=yes and mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a difference somewhere in there.
- Timo Sirainen <tss@iki.fi> 2015.09.08 12:20:
How does the PublicMailboxAdmins group get set? Looks to me like the problem is that it's not getting set to doveadm. Here's an easy way to check if that's the problem or something else: http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389
If that doesn't help: Show your full doveconf -n, set auth_debug=yes and mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a difference somewhere in there.
$ doveadm mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied
Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:
Sep 8 13:19:07 nihlus dovecot: auth: Debug: master in: USER#0111#011tlx@leuxner.net#011service=doveadm Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx@leuxner.net): userdb cache miss Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file /var/vmail/auth.d/leuxner.net/passwd: Read 1 users in 0 secs Sep 8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx@leuxner.net): lookup: user=tlx@leuxner.net file=/var/vmail/auth.d/leuxner.net/passwd Sep 8 13:19:07 nihlus dovecot: auth: Debug: userdb out: USER#0111#011tlx@leuxner.net#011uid=5000#011gid=5000#011home=/var/vmail/domains/leuxner.net/tlx#011quota_rule=*:storage=5G#011acl_groups=PublicMailboxAdmins
With IMAP it is more talkative:
3 create "Public/Archive/Mailing-Lists/Dovecot/2015"
Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Added userdb setting: plugin/acl_groups=PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Added userdb setting: plugin/quota_rule=*:storage=5G Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Effective uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota root: name=user backend=dict args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=* bytes=5368709120 messages=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=Trash bytes=+536870912 (10%) messages=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Quota grace: root=user bytes=536870912 (10%) Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: dict quota: user=tlx@leuxner.net, uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 1 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox /public Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 0 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: owner = 1 Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins Sep 8 13:06:29 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/domains/leuxner.net/tlx/mdbox/mailboxes/dovecot-acl not found Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace : Using permissions from /var/vmail/domains/leuxner.net/tlx/mdbox: mode=0700 gid=default Sep 8 13:07:13 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default
Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015 doesn't exist yet, using default permissions Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: Mailbox 'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern 'Public/*' Sep 8 13:07:42 nihlus dovecot: imap(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl not found
# 2.2.18 (500e8dd7a389): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.2 auth_cache_size = 16 k auth_debug = yes auth_verbose = yes deliver_log_format = msgid=%m, time=%{delivery_time}ms, status=%$ hostname = host.domain.tld imap_hibernate_timeout = 1 mins imap_id_log = * imap_logout_format = in=%i out=%o hdr=%{fetch_hdr_count} body=%{fetch_body_count} del=%{deleted} exp=%{expunged} trash=%{trashed} mail_debug = yes mail_location = mdbox:~/mdbox mail_plugins = acl quota stats zlib virtual mailbox_list_index = yes namespace { list = yes location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public prefix = Public/ separator = / subscriptions = no type = public } namespace { location = virtual:~/mdbox/virtual prefix = Virtual/ separator = / } namespace inbox { hidden = no inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = username_format=%u /var/vmail/auth.d/%d/passwd driver = passwd-file } plugin { acl = vfile:/var/vmail/conf.d/%d/global-acl:cache_secs=300 mail_log_events = expunge mailbox_delete quota = dict:user::file:%h/mdbox/dovecot-quota quota_grace = 10%% quota_rule = *:storage=1GB quota_rule2 = Trash:storage=+10%% quota_status_nouser = DUNNO quota_status_success = DUNNO sieve = file:~/sieve;active=~/.dovecot.sieve sieve_global_dir = /var/vmail/conf.d/%d/sieve stats_refresh = 30s stats_track_cmds = yes zlib_save = gz zlib_save_level = 6 } protocols = " imap lmtp" quota_full_tempfail = yes service auth-worker { unix_listener auth-worker { user = doveauth } user = doveauth } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = doveauth } service imap-hibernate { unix_listener imap-hibernate { user = vmail } } service imap-login { inet_listener imap { address = 1.2.3.4 port = 143 reuse_port = yes } inet_listener imaps { port = 0 } process_min_avail = 8 } service imap { unix_listener imap-master { user = dovecot } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service quota-status { client_limit = 1 executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } } service stats { fifo_listener stats-mail { mode = 0600 user = vmail } } ssl_ca = </etc/ssl/certs/Comodo_RSA_Domain_Validation_SHA-2_Intermediates_CA_Bundle.crt ssl_cert = </etc/ssl/certs/host_domain_tld.crt ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/host_domain_tld.key ssl_protocols = !SSLv2 !SSLv3 syslog_facility = local1 userdb { args = username_format=%u /var/vmail/auth.d/%d/passwd driver = passwd-file } verbose_proctitle = yes protocol lmtp { mail_plugins = acl quota stats zlib virtual sieve } protocol imap { mail_max_userip_connections = 20 mail_plugins = acl quota stats zlib virtual mail_log notify imap_acl imap_quota imap_stats }
On 09/08/2015 02:26 PM, Thomas Leuxner wrote:
- Timo Sirainen <tss@iki.fi> 2015.09.08 12:20:
How does the PublicMailboxAdmins group get set? Looks to me like the problem is that it's not getting set to doveadm. Here's an easy way to check if that's the problem or something else: http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389
If that doesn't help: Show your full doveconf -n, set auth_debug=yes and mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a difference somewhere in there.
$ doveadm mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied
Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:
With doveadm you need to give -D parameter for it to log debug output.
- Timo Sirainen <tss@iki.fi> 2015.09.08 14:28:
Both debug levels raised, it doesn't log about the problem when using doveadm. I guess the patch is not enough:
With doveadm you need to give -D parameter for it to log debug output.
Comparing this to the previous imap log it does seem to ignore the global ACL pattern:
$ doveadm -D mailbox create -u tlx@leuxner.net Public/Archive/Mailing-Lists/Dovecot/2015 Debug: Loading modules from directory: /usr/lib/dovecot/modules Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib20_virtual_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/lib90_stats_plugin.so Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message) Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_backend_rescan (this is usually intentional, so just ignore this message) doveadm(tlx@leuxner.net): Debug: auth input: tlx@leuxner.net quota_rule=*:storage=5G acl_groups=PublicMailboxAdmins uid=5000 gid=5000 home=/var/vmail/domains/leuxner.net/tlx doveadm(tlx@leuxner.net): Debug: Added userdb setting: plugin/acl_groups=PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: Added userdb setting: plugin/quota_rule=*:storage=5G doveadm(tlx@leuxner.net): Debug: Effective uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx doveadm(tlx@leuxner.net): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(tlx@leuxner.net): Debug: Quota root: name=user backend=dict args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota doveadm(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=* bytes=5368709120 messages=0 doveadm(tlx@leuxner.net): Debug: Quota rule: root=user mailbox=Trash bytes=+536870912 (10%) messages=0 doveadm(tlx@leuxner.net): Debug: Quota grace: root=user bytes=536870912 (10%) doveadm(tlx@leuxner.net): Debug: dict quota: user=tlx@leuxner.net, uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0 doveadm(tlx@leuxner.net): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl: group added: PublicMailboxAdmins doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied
participants (2)
-
Thomas Leuxner
-
Timo Sirainen