[Dovecot] Making shared folders "unmovable"
I have set up an area of shared folders with Dovecot 1.2 that is accessed by several people (by way of one account, and everyone who logs in sees these same folders), and the only problem with this setup is that occasionally somebody moves one of the folders underneath another folder or somewhere else in the folder structure, and this sometimes disrupts some automatic procmail filters and the like.
Is there a way to keep folders in a shared setup such as this "static" or "unmovable" so that the users can't disrupt the structure? Like, where the folder structure itself can't be changed, but new messages can still come in to the folders?
David
On Ter, 2011-01-11 at 12:27 -0600, Dave wrote:
I have set up an area of shared folders with Dovecot 1.2 that is accessed by several people (by way of one account, and everyone who logs in sees these same folders), and the only problem with this setup is that occasionally somebody moves one of the folders underneath another folder or somewhere else in the folder structure, and this sometimes disrupts some automatic procmail filters and the like.
Is there a way to keep folders in a shared setup such as this "static" or "unmovable" so that the users can't disrupt the structure? Like, where the folder structure itself can't be changed, but new messages can still come in to the folders?
You may be able to do that with ACLs.
-- Jose Celestino | http://japc.uncovering.org/files/japc-pgpkey.asc
"Assumption is the Mother of Screw-Up" -- Mr. John Elwood Hale
Jose Celestino wrote:
On Ter, 2011-01-11 at 12:27 -0600, Dave wrote:
I have set up an area of shared folders with Dovecot 1.2 that is accessed by several people (by way of one account, and everyone who logs in sees these same folders), and the only problem with this setup is that occasionally somebody moves one of the folders underneath another folder or somewhere else in the folder structure, and this sometimes disrupts some automatic procmail filters and the like.
Is there a way to keep folders in a shared setup such as this "static" or "unmovable" so that the users can't disrupt the structure? Like, where the folder structure itself can't be changed, but new messages can still come in to the folders?
You may be able to do that with ACLs.
Jose is right. Take away the x and k rights with ACLs.
Well, I've tried ACLs before and had no success, which I remembered when looking back through the config file to try it now. :) But, perhaps I'm missing something obvious! Here's what I've done: I enabled the ACL features in IMAP with "mail_plugins = acl imap_acl" under the "protocol imap {" section, as instructed in the wiki. I also added "acl = vfile" under the "plugin {" section. I HUPped Dovecot so as to re-read the config, and put a "dovecot-acl" in Maildir/.TestFolder that contains 1 line: anyone lrwstipea
So, in theory, that should do it right? No "x" and no "k" permissions in that list for "anyone", yet I can still delete, move, and rename the "TestFolder" folder (in which that dovecot-acl file resides, on disk in the folder above) through my mail client. What am I missing? Clearly something! :) (I haven't tried restarting Dovecot yet as there are some people using the mailbox at the moment, fwiw.) Dave
On 1/11/2011 4:11 PM, Willie Gillespie wrote:
Jose Celestino wrote:
You may be able to do that with ACLs.
Jose is right. Take away the x and k rights with ACLs.
On 2011-01-11 3:37 PM, Dave wrote:
Well, I've tried ACLs before and had no success, which I remembered when looking back through the config file to try it now. :) But, perhaps I'm missing something obvious! Here's what I've done: I enabled the ACL features in IMAP with "mail_plugins = acl imap_acl" under the "protocol imap {" section, as instructed in the wiki. I also added "acl = vfile" under the "plugin {" section. I HUPped Dovecot so as to re-read the config, and put a "dovecot-acl" in Maildir/.TestFolder that contains 1 line: anyone lrwstipea
So, in theory, that should do it right? No "x" and no "k" permissions in that list for "anyone", yet I can still delete, move, and rename the "TestFolder" folder (in which that dovecot-acl file resides, on disk in the folder above) through my mail client. What am I missing? Clearly something! :) (I haven't tried restarting Dovecot yet as there are some people using the mailbox at the moment, fwiw.) Dave
On 1/11/2011 4:11 PM, Willie Gillespie wrote:
Jose Celestino wrote:
You may be able to do that with ACLs.
Jose is right. Take away the x and k rights with ACLs.
From the WIKI at http://wiki1.dovecot.org/SharedMailboxes/Shared
By default Dovecot doesn't allow using the IMAP "anyone" or "authenticated" identifier, because it would be an easy way to spam other users in the system. If you wish to allow it, set:
plugin { acl_anyone = allow }
Note that you can also do this only for some users by returning the acl_anyone as userdb extra field <http://wiki1.dovecot.org/UserDatabase/ExtraFields>.
-Greg
By default Dovecot doesn't allow using the IMAP "anyone" or "authenticated" identifier, because it would be an easy way to spam other users in the system. If you wish to allow it, set:
plugin { acl_anyone = allow }
Greg, thanks for your reply, I missed that in the wiki about the "anyone" identifier. I will try that setting that you mention, BUT I don't know that it will work because before I tried using "anyone" as the identifier I tried using the username I was logging into the account with (using the "user=" parameter in place of "anyone"), and that didn't work either. :(
...
OK, I tried it with the username I use to login to the account instead of "anyone", and with "owner" as Timo suggested (thank you as well), and neither of those worked. My dovecot-acl contained "user=dave lrwstipea" in the first case and "owner lrwstipea" in the second, and neither is making a difference, I can still rename/delete/etc that folder. Any other thoughts?? I don't need to restart dovecot or reload the config or anything if I make a change to the dovecot-acl file do I?
David
On 2011-01-12 9:41 AM, Dave wrote:
By default Dovecot doesn't allow using the IMAP "anyone" or "authenticated" identifier, because it would be an easy way to spam other users in the system. If you wish to allow it, set:
plugin { acl_anyone = allow }
Greg, thanks for your reply, I missed that in the wiki about the "anyone" identifier. I will try that setting that you mention, BUT I don't know that it will work because before I tried using "anyone" as the identifier I tried using the username I was logging into the account with (using the "user=" parameter in place of "anyone"), and that didn't work either. :(
...
OK, I tried it with the username I use to login to the account instead of "anyone", and with "owner" as Timo suggested (thank you as well), and neither of those worked. My dovecot-acl contained "user=dave lrwstipea" in the first case and "owner lrwstipea" in the second, and neither is making a difference, I can still rename/delete/etc that folder. Any other thoughts?? I don't need to restart dovecot or reload the config or anything if I make a change to the dovecot-acl file do I?
David
I have this in my public namespace, and it works well:
authenticated lrs user=gfinch lrwstipekxa
What does your dovecot -n say?
-Greg
I have this in my public namespace, and it works well: ... What does your dovecot -n say?
I assume these are the lines you're looking for from dovecot -n?
mail_plugins: acl imap_acl plugin: acl: vfile
Also, I just saw when I ran that command that it's Dovecot 1.1 series.
Not 1.2 series. My bad. :( Will that make a difference? I also am not
super-familiar with namespaces, so I don't know that any are set up in
any way. I'll look at the documentation for namespaces.
David
On 2011-01-12 1:10 PM, Dave wrote:
I have this in my public namespace, and it works well: ... What does your dovecot -n say?
I assume these are the lines you're looking for from dovecot -n?
mail_plugins: acl imap_acl plugin: acl: vfile
Also, I just saw when I ran that command that it's Dovecot 1.1 series. Not 1.2 series. My bad. :( Will that make a difference? I also am not super-familiar with namespaces, so I don't know that any are set up in any way. I'll look at the documentation for namespaces.
David
It is supposed to still work with 1.1, you just don't have the ability to use IMAP to change acls.
One thing to check is that the dovecot-acl file you created has the same owner and permissions as the folder in which it resides.
Also note that you will need the dovecot-acl file in every folder that you want it to apply to, including the sub-folders. ACLs are only inherited by new folders from their parent when they are created.
-Greg
On 12.1.2011, at 1.37, Dave wrote:
Well, I've tried ACLs before and had no success, which I remembered when looking back through the config file to try it now. :) But, perhaps I'm missing something obvious! Here's what I've done: I enabled the ACL features in IMAP with "mail_plugins = acl imap_acl" under the "protocol imap {" section, as instructed in the wiki. I also added "acl = vfile" under the "plugin {" section. I HUPped Dovecot so as to re-read the config, and put a "dovecot-acl" in Maildir/.TestFolder that contains 1 line: anyone lrwstipea
owner, not anyone
participants (5)
-
Dave
-
Gregory Finch
-
Jose Celestino
-
Timo Sirainen
-
Willie Gillespie