I'm running dovecot 2.2.16 on my FreeBSD mail server. I've read information on the wiki about setting up shared mailboxes, but I want to do something that isn't really coved by the instructions I was reading there. My son (now 7 years old) has an account on the system, but doesn't use it directly. But, for things he's interested in like Minecraft, and/or the local zoo, we have given out his email address in a small number of places. What I would like to set up, both for now while he's not actually ever reading his email himself, and perhaps even for the future when we teach and/or allow for that, is for my wife and I to be able to "view" his inbox from our accounts.
The instructions for setting up shared folders all are written so that they're secondary folders to all accounts. Is there a way to either (a) configure sharing someone elses Inbox by other accounts, or (b) setting up a separately configured shared folder to _act_ as the inbox for a single account?
Thanks. Any suggestions to achieve the above described end goal would be appreciated.
- ChrisMay 25 2015 1:01 PM, "Chris Ross" <cross+dovecot@distal.com> wrote:
I'm running dovecot 2.2.16 on my FreeBSD mail server. I've read information on the wiki about setting up shared mailboxes, but I want to do something that isn't really coved by the instructions I was reading there. My son (now 7 years old) has an account on the system, but doesn't use it directly. But, for things he's interested in like Minecraft, and/or the local zoo, we have given out his email address in a small number of places. What I would like to set up, both for now while he's not actually ever reading his email himself, and perhaps even for the future when we teach and/or allow for that, is for my wife and I to be able to "view" his inbox from our accounts.
The instructions for setting up shared folders all are written so that they're secondary folders to all accounts. Is there a way to either (a) configure sharing someone elses Inbox by other accounts, or (b) setting up a separately configured shared folder to _act_ as the inbox for a single account?
Thanks. Any suggestions to achieve the above described end goal would be appreciated.
- Chris
I'll assume you've seen these: http://wiki2.dovecot.org/SharedMailboxes/Shared and http://wiki2.dovecot.org/ACL
When I set them up that way, I shared the target inbox (we'll call it foo@example.com) to be accessible by user bar@example.com. When I go into my email client, I'll see something like: shared/foo@example.com/INBOX as a folder.
To give bar@ access to foo@'s INBOX, I ran something like this:
doveadm acl add
-u foo@example.com
INBOX user=bar@example.com
lookup read write write-seen write-deleted insert
post expunge create delete admin
http://wiki2.dovecot.org/Tools/Doveadm/ACL covers the details of what all of the "lookup read..." bits and more do.
The boxes don't have to be shared publicly if you use the "private" namespace.
Hopefully that helps!
Cheers, Drew Csillag
On May 25, 2015, at 15:55 , andy@thecsillags.com wrote:
I'll assume you've seen these: http://wiki2.dovecot.org/SharedMailboxes/Shared and http://wiki2.dovecot.org/ACL
Yup, I'd looked at those, but still left not understanding all of the options. And you gave a doveadm command, which I appreciate very much, but surprises me since the materials in the ACL wiki page are all about file contents. But I'll try your command.
When I set them up that way, I shared the target inbox (we'll call it foo@example.com) to be accessible by user bar@example.com. When I go into my email client, I'll see something like: shared/foo@example.com/INBOX as a folder.
When you say "set them up that way", do you mean following the example config at SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of those, or at least that's what I'm going to try first.
A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only briefly described what that effects, so I'm not sure which setting (on or off) will cause the shared/foo@example.com/INBOX you describe seeing. I assume on, so I've turned it on.
To give bar@ access to foo@'s INBOX, I ran something like this:
doveadm acl add
-u foo@example.com
INBOX user=bar@example.com
lookup read write write-seen write-deleted insert
post expunge create delete adminhttp://wiki2.dovecot.org/Tools/Doveadm/ACL covers the details of what all of the "lookup read..." bits and more do.
The boxes don't have to be shared publicly if you use the "private" namespace.
By "use the "private" namespace", do you mean specifying a separate namespace block in the config, like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, that's what I've done. If there is a way to have a single namespace declared that's both private and shared, I don't see that, so I have two as presented on that wiki page.
And did/do you have "subscriptions=no" and "list=children" defined? Again, as their only briefly described, I'm not 100% sure I understand the difference in behavior I'll see with different settings.
And I'm pretty sure I read that there are ways to have mailboxes shared such that who has or hasn't read contents of the mailboxes is stored within the mailbox, and also ways to have it stored per reading user. I'm not sure which I'll be seeing/using here.
Thanks. I'll ask more questions if I have more questions after a little trial and error on my own server. :-) Thanks for your help!
- ChrisOn May 27, 2015, at 22:57 , Chris Ross <cross+dovecot@distal.com> wrote:
On May 25, 2015, at 15:55 , andy@thecsillags.com wrote:
When I set them up that way, I shared the target inbox (we'll call it foo@example.com) to be accessible by user bar@example.com. When I go into my email client, I'll see something like: shared/foo@example.com/INBOX as a folder.
When you say "set them up that way", do you mean following the example config at SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of those, or at least that's what I'm going to try first.
A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only briefly described what that effects, so I'm not sure which setting (on or off) will cause the shared/foo@example.com/INBOX you describe seeing. I assume on, so I've turned it on.
The boxes don't have to be shared publicly if you use the "private" namespace.
By "use the "private" namespace", do you mean specifying a separate namespace block in the config, like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, that's what I've done. If there is a way to have a single namespace declared that's both private and shared, I don't see that, so I have two as presented on that wiki page.
Okay. Lots of trial and error and error, and I at least have some configuration that I think includes pieces about shared mailboxes and ACLs, and it's actually up and running. But, I'm not seeing the shared folder.
I was getting a lot of errors about separators (namespace configuration error: All list=yes namespaces must use the same separator) and prefixes (namespace configuration error: list=yes requires prefix=/ not to start with separator), but have it working now. The namespace private block from the example at http://wiki2.dovecot.org/SharedMailboxes/Public caused many of those problems, and I didn't have a separator configured at all (ie, was still commented out) in my main namespace, so that apparently conflicted with the "separator = /" in the shared namespace. But, all that resolved.
The config file I've added into conf.d/15-shared.conf is:
namespace { type = shared separator = / prefix = shared/%%u/ location = maildir:/home/%%n/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u subscriptions = no list = children } mail_shared_explicit_inbox = yes protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile }
This comes from the aforementioned wiki page. I ran the doveadm acl command you suggested (though my usernames have no domain part, like your example did have domain parts)
Now, while dovecot is back to working, I don't see a shared folder anywhere. "doveadm mailbox list" lists the mailboxes for users, including the INBOX I've tried to configure an ACL to let me share.
Clearly I'm missing a piece. Andy, or anyone else, if you see what I've missed, please let me know. I'm not seeing anything back from the server with my mail client under "Subscription List", so I can't choose to subscribe. Maybe I've turned off subscriptions somehow, and it's not auto-subscribing me? Or, maybe having "list=children", and I haven't set up the ACL correctly?
I ran:
sudo doveadm acl add -u childuser INBOX user=cross lookup read write write-seen write-deleted insert post expunge create delete admin
After removing the domains from your example, that's about what you had. I can see the INBOX for childuser with "doveadm mailbox list -u childuser".
Ahh. I think I may be on to something. I tried the "doveadm acl add" again, which seems to succeed, but "doveadm acl debug" then doesn't mention anything about me, or my access to childuser's INBOX. Running the "acl add" with "doveadm -D" shows:
doveadm(childuser): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
and later:
doveadm(childuser): Debug: acl vfile: Global ACLs disabled
The first of those looks like it might be a problem. Do you have an "acl_shared_dict" set up in your config anywhere, Andy?
Thanks. Any help appreciated.
- ChrisChris,
I do indeed have an acl_shared_dict set up. That may be the ticket. That makes it so that the IMAP server knows that you have acls on the other mailbox, so it can know to then look in that mailbox to find out precisely what the ACLs are.
Cheers, Andy
May 28 2015 12:49 AM, "Chris Ross" <cross+dovecot@distal.com> wrote:
On May 27, 2015, at 22:57 , Chris Ross <cross+dovecot@distal.com> wrote:
On May 25, 2015, at 15:55 , andy@thecsillags.com wrote:
When I set them up that way, I shared the target inbox (we'll call it foo@example.com) to be accessible by user bar@example.com. When I go into my email client, I'll see something like: shared/foo@example.com/INBOX as a folder.
When you say "set them up that way", do you mean following the example config at SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of those, or at least that's what I'm going to try first.
A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only briefly described what that effects, so I'm not sure which setting (on or off) will cause the shared/foo@example.com/INBOX you describe seeing. I assume on, so I've turned it on.
The boxes don't have to be shared publicly if you use the "private" namespace.
By "use the "private" namespace", do you mean specifying a separate namespace block in the config, like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, that's what I've done. If there is a way to have a single namespace declared that's both private and shared, I don't see that, so I have two as presented on that wiki page.
Okay. Lots of trial and error and error, and I at least have some configuration that I think includes pieces about shared mailboxes and ACLs, and it's actually up and running. But, I'm not seeing the shared folder.
I was getting a lot of errors about separators (namespace configuration error: All list=yes namespaces must use the same separator) and prefixes (namespace configuration error: list=yes requires prefix=/ not to start with separator), but have it working now. The namespace private block from the example at http://wiki2.dovecot.org/SharedMailboxes/Public caused many of those problems, and I didn't have a separator configured at all (ie, was still commented out) in my main namespace, so that apparently conflicted with the "separator = /" in the shared namespace. But, all that resolved.
The config file I've added into conf.d/15-shared.conf is:
namespace { type = shared separator = / prefix = shared/%%u/ location = maildir:/home/%%n/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u subscriptions = no list = children } mail_shared_explicit_inbox = yes protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile }
This comes from the aforementioned wiki page. I ran the doveadm acl command you suggested (though my usernames have no domain part, like your example did have domain parts)
Now, while dovecot is back to working, I don't see a shared folder anywhere. "doveadm mailbox list" lists the mailboxes for users, including the INBOX I've tried to configure an ACL to let me share.
Clearly I'm missing a piece. Andy, or anyone else, if you see what I've missed, please let me know. I'm not seeing anything back from the server with my mail client under "Subscription List", so I can't choose to subscribe. Maybe I've turned off subscriptions somehow, and it's not auto-subscribing me? Or, maybe having "list=children", and I haven't set up the ACL correctly?
I ran:
sudo doveadm acl add -u childuser INBOX user=cross lookup read write write-seen write-deleted insert post expunge create delete admin
After removing the domains from your example, that's about what you had. I can see the INBOX for childuser with "doveadm mailbox list -u childuser".
Ahh. I think I may be on to something. I tried the "doveadm acl add" again, which seems to succeed, but "doveadm acl debug" then doesn't mention anything about me, or my access to childuser's INBOX. Running the "acl add" with "doveadm -D" shows:
doveadm(childuser): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
and later:
doveadm(childuser): Debug: acl vfile: Global ACLs disabled
The first of those looks like it might be a problem. Do you have an "acl_shared_dict" set up in your config anywhere, Andy?
Thanks. Any help appreciated.
- Chris
On May 28, 2015, at 09:08, andy@thecsillags.com wrote:
Chris,
I do indeed have an acl_shared_dict set up. That may be the ticket. That makes it so that the IMAP server knows that you have acls on the other mailbox, so it can know to then look in that mailbox to find out precisely what the ACLs are.
Okay. I did set up an acl_shared_dict, but I’m not sure the file ownership/permissions aren’t somewhat in the way. It appears dovecot, and doveadm, operate as the user in question, and I think the permission problems may be getting in my way. I eventually made ~childuser/Maildir group readable (to a group I’m in), and then was seeing permission denied issues when I tried:
% sudo doveadm acl debug -u cross shared/childuser/INBOX […] doveadm(cross): Error: open(/home/childuser/Maildir/dovecot-acl-list) failed: Permission denied
So, I made that file readable to a group I’m in, and that went away, but cal debug still shows no access. I think UNIX permissions are what is impeding my progress at the moment. Is that normal? Any idea how you’re avoiding this problem, Andy?
On May 28, 2015, at 23:57, G H <uothrawn@yahoo.com> wrote:
Look in to dovecot's master user feature as well.
Okay. This looks like it may help with my above problem. I haven’t looked into it yet, but will check on that as it sounds valuable. Thanks!
- ChrisOn May 25, 2015 12:59:45 PM EDT, Chris Ross <cross+dovecot@distal.com> wrote:
I'm running dovecot 2.2.16 on my FreeBSD mail server. I've read information on the wiki about setting up shared mailboxes, but I want to do something that isn't really coved by the instructions I was reading there. My son (now 7 years old) has an account on the system, but doesn't use it directly. But, for things he's interested in like Minecraft, and/or the local zoo, we have given out his email address in a small number of places. What I would like to set up, both for now while he's not actually ever reading his email himself, and perhaps even for the future when we teach and/or allow for that, is for my wife and I to be able to "view" his inbox from our accounts.
The instructions for setting up shared folders all are written so that they're secondary folders to all accounts. Is there a way to either (a) configure sharing someone elses Inbox by other accounts, or (b) setting up a separately configured shared folder to _act_ as the inbox for a single account?
Thanks. Any suggestions to achieve the above described end goal would be appreciated.
- Chris
Look in to dovecot's master user feature as well.
participants (3)
-
andy@thecsillags.com
-
Chris Ross
-
G H