Dovecot 2.3 shared namespace issues
Hello,
We're trying to configure the shared mailbox feature\namespace on a dovecot 2.3 installation .
OS : Ubuntu 22.04 x64
Dovecot : 2:2.3.19.1-2+ubuntu20.04
Our test enviroment is based on a dovecot frontend ( director + proxy ) and a dovecot backend ( auth and storage ), later we will think about increasing the number of backends and frontends ( if we got it right, as we plan to use multiple backends, we should use imapc in order to bind the sharer and the accessing user to the same backend ) .
On dovecot backend we've configured the new shared namespace, as stated in the documentation ( https://doc.dovecot.org/configuration_manual/shared_mailboxes/shared_mailbox es/#user-shared-mailboxes ) :
-- Dovecot conf --------------------
# Maildir's location is under home dir, which is returned by userdb.
mail_location = maildir:~/Maildir:VOLATILEDIR=/tmp_lock/%2.256Nu/%u
# Quota, mail_log plugins enabled everywhere
mail_plugins = quota notify acl fts fts_lucene mail_log mailbox_alias virtual
# Default namespace
namespace {
hidden = no
inbox = yes
location =
prefix =
separator = /
type = private
mailbox Sent {
special_use = \Sent
auto = create
}
mailbox Trash {
special_use = \Trash
auto = create
}
mailbox Drafts {
special_use = \Drafts
auto = create
}
mailbox SPAM {
special_use = \Junk
auto = create
}
}
# namespace used by virtual search
namespace {
prefix = VrtSearch.
separator = /
location = virtual:/etc/dovecot-common-backend/virtual:INDEX=~/virtual
hidden = yes
subscriptions = no
inbox = no
list = no
}
# IMAP SHARING FEATURE
service dict {
unix_listener dict {
mode = 0600
user = vpopmail
group = vchkpw
}
}
plugin {
acl = vfile
acl_ignore_namespace = shared/*
acl_shared_dict = proxy::acl-mysql
}
dict {
acl-mysql = mysql:/etc/dovecot-common-backend/dovecot-dict-sql.conf.ext
}
# namespace used for IMAP sharing feature
namespace {
type = shared
separator = /
prefix = shared/%%u/
location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
list = children
subscriptions = no
}
-- Dovecot dict sql --------------------
# IMAP SHARING FEATURE
connect = host=x.x.x.x dbname=xxxxxx user=xxxxxx password=xxxxxx
map {
pattern = shared/shared-boxes/user/$to/$from
table = imap_user_shares
value_field = dummy
fields {
from_user = $from
to_user = $to
}
}
map {
pattern = shared/shared-boxes/anyone/$from
table = imap_anyone_shares
value_field = dummy
fields {
from_user = $from
}
}
-- Dict DB contents --------------------
mysql> select * from imap_user_shares;
+------------------------------------------+-------------------------------- --------+-------+
| from_user | to_user | dummy |
+------------------------------------------+-------------------------------- --------+-------+
| test.imapsharer01@td01.testdomain.it | test.imapuser01@td01.testdomain.it | 1 |
+------------------------------------------+-------------------------------- --------+-------+
For our tests, we've :
- created two users
test.imapsharer01@td01.testdomain.it
test.imapuser01@td01.testdomain.it
- Created two INBOX subfolders on the sharer01 user, giving user01 those permissions :
subfolder01 giving to user01 Full control
subfolder02ro giving to user01 list and read
- logging as user01 with thunderbird, we see the shared namespace tree :
shared
test.imapsharer01@td01.testdomain.it
subfolder01
subfolder02
we're able to see the contents of each folder, even the INBOX .
Checking the folder properties, thunderbird reports that the user01 has full control on the INBOX of shared01 .
If we try to check the ACL via python script ( imaplib.gestacl ) or via doveadm, we can see that the sharer01 INBOX has no rights for user01 .
But via thunderbird ( or other email clients ) we can delete emails .
ACL - sharer01 accessing its folder
('OK', [b'INBOX test.imapsharer01@td01.testdomain.it lrwstipekxacd'])
('OK', [b'subfolder01 test.imapuser01@td01.testdomain.it akxeilprwtscd test.imapsharer01@td01.testdomain.it lrwstipekxacd'])
('OK', [b'subfolder02ro test.imapuser01@td01.testdomain.it lr test.imapsharer01@td01.testdomain.it lrwstipekxacd'])
ACL - user01 accessing sharer01 folders
('OK', [b'shared/test.imapsharer01@td01.testdomain.it/INBOX'])
('OK', [b'shared/test.imapsharer01@td01.testdomain.it/subfolder01 test.imapuser01@td01.testdomain.it akxeilprwtscd'])
('OK', [b'shared/test.imapsharer01@td01.testdomain.it/subfolder02ro test.imapuser01@td01.testdomain.it lr'])
Testing with doveadm shows the correct ACL :
# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/INBOX
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'INBOX' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir
doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox
doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has no rights for mailbox
doveadm(test.imapuser01@td01.testdomain.it): Error: User test.imapuser01@td01.testdomain.it is missing 'lookup' right
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/INBOX is NOT visible in LIST
# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/subfolder01
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'subfolder01' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.sub folder01
doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox
doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has rights: lookup read write write-seen write-deleted insert post expunge create delete admin
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox found from dovecot-acl-list
doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapsharer01@td01.testdomain.it found from ACL shared dict
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/subfolder01 is visible in LIST
# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u test.imapuser01@td01.testdomain.it shared/test.imapsharer01@td01.testdomain.it/subfolder02ro
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox 'subfolder02ro' is in namespace 'shared/test.imapsharer01@td01.testdomain.it/'
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox path: /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.sub folder02ro
doveadm(test.imapuser01@td01.testdomain.it): Info: All message flags are shared across users in mailbox
doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapuser01@td01.testdomain.it has rights: lookup read
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox found from dovecot-acl-list
doveadm(test.imapuser01@td01.testdomain.it): Info: User test.imapsharer01@td01.testdomain.it found from ACL shared dict
doveadm(test.imapuser01@td01.testdomain.it): Info: Mailbox shared/test.imapsharer01@td01.testdomain.it/subfolder02ro is visible in LIST
in the debug log we can see the delete operation :
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Mailbox opened
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: acl vfile: file /home/vpopmail/domains/td01.testdomain.it/dccm4584.imapuser01/Maildir/.Trash /dovecot-acl not found
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: Mailbox opened
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Adding field flags to cache for the first time (uid=0)
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: saving UID 0: Opened mail because: header Message-ID (Cache file is unusable)
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Adding field hdr.Message-ID to cache for the first time (uid=0)
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: UID 1: Expunge requested
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Purging (new file_seq=1668506005): creating cache
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox Trash: Purging finished, file_seq changed 0 -> 1668506005, size=0 -> 412, max_uid=0
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Info: copy from shared/test.imapsharer01@td01.testdomain.it: box=Trash, uid=1, msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._@nl.aruba.it>
Nov 15 10:53:25 imap(357716 test.imapuser01@td01.testdomain.it):Info: expunge: box=shared/test.imapsharer01@td01.testdomain.it, uid=1, msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._@nl.aruba.it>
Nov 15 10:53:26 imap(357716 test.imapuser01@td01.testdomain.it):Debug: Mailbox shared/test.imapsharer01@td01.testdomain.it: UID 1: Mail expunged
After we delete a message, we cannot find it on the Trash folders ( user01 or sharer01 ) .
Are we missing something ?
Thanks
Stefano
participants (1)
-
Stefano Cecconello