Shared mailboxes setups and dictionaries
Hello,
I am relatively new to the world of MTAs and MDAs, and I try to set up shared mailboxes.
So far I have somehow succeeded - I have defined a shared namespace and I have managed to create per-mailbox ACL files thanks to the doveadm command.
However, I have been following these resources and there were bits that have puzzled me:
When learning about how ACL work in e.g. https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use the Global ACL file, how does one link it to a particular user's mailboxes? Examples that are listed in the documentation are far too generic. For example does "* user=foo lrw" imply that all mailboxes of all accounts are shared to the user foo? The doveadm command works only if dovecot is set up with per-mailbox ACL files, so I can't use it to reverse-engineer the correct syntax.
An interesting aspect to ACLs are dictionaries. I understood it as some kind of cache - if there is no dictionary or it is empty, then shared mailboxes don't work. Conversely, dictionary itself is not enough, one needs actual ACLs set up correctly. Is this a correct understanding?
Next what https://wiki.dovecot.org/SharedMailboxes/Shared and https://wiki.dovecot.org/Dictionary describe is a possibility to reference LDAP data to define an ACL dictionary. Do I understand it correctly that if a LDAP database is the single source of truth, then I don't have to worry about updating dictionaries as long as LDAP itself is up-to-date, but I have to keep ACLs and LDAP in sync manually (or using an application)?
Thanks, Matej
On 9/14/2020 1:19 PM, Matej Tyc wrote:
Hello,
I am relatively new to the world of MTAs and MDAs, and I try to set up shared mailboxes.
So far I have somehow succeeded - I have defined a shared namespace and I have managed to create per-mailbox ACL files thanks to the doveadm command.
However, I have been following these resources and there were bits that have puzzled me:
When learning about how ACL work in e.g. https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use the Global ACL file, how does one link it to a particular user's mailboxes? Examples that are listed in the documentation are far too generic. For example does "* user=foo lrw" imply that all mailboxes of all accounts are shared to the user foo? The doveadm command works only if dovecot is set up with per-mailbox ACL files, so I can't use it to reverse-engineer the correct syntax.
The global ACLs are...global. They apply to all matching mailboxes system-wide. So to answer your question, yes "* user=foo lrw" means all mailboxes of all accounts are shared to the user foo. But...
An interesting aspect to ACLs are dictionaries. I understood it as some kind of cache - if there is no dictionary or it is empty, then shared mailboxes don't work. Conversely, dictionary itself is not enough, one needs actual ACLs set up correctly. Is this a correct understanding?
The ACLs grant/deny access to a specific mailbox - when that mailbox is known to the client. But ACLs are never scanned or iterated over to generate a list of available mailboxes - that's where the dictionary comes in. The dictionary is a list of shared mailboxes - but that's all it is. So when a client queries the server for a list of available mailboxes the dictionary is consulted. The ACLs are then applied for each transaction whenever a client tries to read/write/access/whatever a specific mailbox. So theoretically, if you can manually specify the shared mailbox correctly, no dictionary is required for access.
Next what https://wiki.dovecot.org/SharedMailboxes/Shared and https://wiki.dovecot.org/Dictionary describe is a possibility to reference LDAP data to define an ACL dictionary. Do I understand it correctly that if a LDAP database is the single source of truth, then I don't have to worry about updating dictionaries as long as LDAP itself is up-to-date, but I have to keep ACLs and LDAP in sync manually (or using an application)?
Again, a dictionary is a list of shared mailboxes - not ACL's. You can use any dictionary source Dovecot can read from - but if the dictionary also supports writing then any manipulation of ACLs will automatically update the dictionary.
What the above implies, and I will now state explicitly, is that while global ACLs provide *access* they do not *publish* that access. A dictionary must be manually updated to list those mailboxes.
-- Daniel
On 14. 09. 20 22:46, Daniel Miller wrote:
On 9/14/2020 1:19 PM, Matej Tyc wrote:
...
When learning about how ACL work in e.g. https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use the Global ACL file, how does one link it to a particular user's mailboxes? Examples that are listed in the documentation are far too generic. For example does "* user=foo lrw" imply that all mailboxes of all accounts are shared to the user foo? The doveadm command works only if dovecot is set up with per-mailbox ACL files, so I can't use it to reverse-engineer the correct syntax.
The global ACLs are...global. They apply to all matching mailboxes system-wide. So to answer your question, yes "* user=foo lrw" means all mailboxes of all accounts are shared to the user foo. But...
Great, what about the format itself? Is it <namespace>/<account>/<mailbox>? The documentation brings up, i.e. /john@example.com/* shares all mailboxes of John from the example.com domain? Or have I overlooked a documentation page where the syntax is introduced?
...
The ACLs grant/deny access to a specific mailbox - when that mailbox is known to the client. But ACLs are never scanned or iterated over to generate a list of available mailboxes - that's where the dictionary comes in. The dictionary is a list of shared mailboxes - but that's all it is. So when a client queries the server for a list of available mailboxes the dictionary is consulted. The ACLs are then applied for each transaction whenever a client tries to read/write/access/whatever a specific mailbox. So theoretically, if you can manually specify the shared mailbox correctly, no dictionary is required for access. Thanks, that's a great explanation!
Next what https://wiki.dovecot.org/SharedMailboxes/Shared and https://wiki.dovecot.org/Dictionary describe is a possibility to reference LDAP data to define an ACL dictionary. Do I understand it correctly that if a LDAP database is the single source of truth, then I don't have to worry about updating dictionaries as long as LDAP itself is up-to-date, but I have to keep ACLs and LDAP in sync manually (or using an application)? Again, a dictionary is a list of shared mailboxes - not ACL's. You can use any dictionary source Dovecot can read from - but if the dictionary also supports writing then any manipulation of ACLs will automatically update the dictionary.
What the above implies, and I will now state explicitly, is that while global ACLs provide *access* they do not *publish* that access. A dictionary must be manually updated to list those mailboxes.
What I understand is that ACLs are purely filesystem-based, i.e. no LDAP backend, and one has to sync LDAP to respective ACLs "manually".
If I follow what you have said, one could have an equal result with a database, syncing ACLs "manually" from LDAP, and doveadm will make sure that the database backend will be up-to-date.
-- Daniel
Thank you very much for your explanations, I will propose a documentation PR once I figure out all of the missing bits.
On 9/15/2020 10:07 AM, Matej Tyc wrote:
On 14. 09. 20 22:46, Daniel Miller wrote:
On 9/14/2020 1:19 PM, Matej Tyc wrote:
...
When learning about how ACL work in e.g. [...] so I can't use it to reverse-engineer the correct syntax.
The global ACLs are...global. They apply to all matching mailboxes system-wide. So to answer your question, yes "* user=foo lrw" means all mailboxes of all accounts are shared to the user foo. But...
Great, what about the format itself? Is it <namespace>/<account>/<mailbox>? The documentation brings up, i.e. /john@example.com/* shares all mailboxes of John from the example.com domain? Or have I overlooked a documentation page where the syntax is introduced?
No. You need to read the docs again: https://doc.dovecot.org/settings/plugin/acl/
Global ACLs live in their own little space - either filesystem based or file based. You specify who is *granted* global access - and the level of that global access applies system-wide. So if you grant "john@example.com" global read/write access to all Inboxes - John will be able to access every Inbox of every user (however, he might not know that a given inbox exists - without explicit configuration or explicit sharing which updates the dictionary).
Next what https://wiki.dovecot.org/SharedMailboxes/Shared and https://wiki.dovecot.org/Dictionary describe is a possibility to reference LDAP data to define an ACL dictionary. Do I understand it correctly that if a LDAP database is the single source of truth, then I don't have to worry about updating dictionaries as long as LDAP itself is up-to-date, but I have to keep ACLs and LDAP in sync manually (or using an application)? Again, a dictionary is a list of shared mailboxes - not ACL's. You can use any dictionary source Dovecot can read from - but if the dictionary also supports writing then any manipulation of ACLs will automatically update the dictionary.
What the above implies, and I will now state explicitly, is that while global ACLs provide *access* they do not *publish* that access. A dictionary must be manually updated to list those mailboxes.
What I understand is that ACLs are purely filesystem-based, i.e. no LDAP backend, and one has to sync LDAP to respective ACLs "manually".
If I follow what you have said, one could have an equal result with a database, syncing ACLs "manually" from LDAP, and doveadm will make sure that the database backend will be up-to-date.
First, I provide the disclaimer that I don't use LDAP. I had it years ago and I'm quite happy to leave it behind. So I can't give you current LDAP/Dovecot experience. However, a quick read of the page you reference shows LDAP is read-only. Which means while you could theoretically use LDAP for a global ACL source - trying to use it for per-user shares would require quite a bit of manual effort for every change. I believe the technical term for such a setup is "masochistic".
I totally understand the desire to have a single database for general config purposes - however I think you're trying to use a power drill as a hammer. Leave your authentication database, i.e. LDAP, alone and let your mail server do its thing. Consider the mail store an entity as a whole - not just the messages, but the format, the folder structure, and the ACLs as a "black box" and I think you'll save yourself a lot of frustration. Dovecot (in my own uninformed opinion) is designed to be (mostly) autonomous and file-based - any database support is just for user/passwords and leave it at that.
If you want per-user shares just use the example at the top of the wiki page. From my own config:
plugin { acl = vfile acl_shared_dict = file:/var/mail/%d/shared-mailboxes }
based on a mail_location of "sdbox:/var/mail/%d/%n/sdbox".
-- Daniel
participants (2)
-
Daniel Miller
-
Matej Tyc