[Dovecot] Easy way to make all mailboxes of a user read-only
Hello all,
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
user=<username> lr
and
plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 }
But that seems to be ignored. What is wrong with this idea, the docs are not really clear about a single acl file with global settings.
-- Regards, Stephan
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
On Thu, 11 Apr 2013 16:00:22 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
Oh, that is _bad_. I cannot use fs permissions because the MTA (postfix) must have write permissions (to the directories) to create the mail files...
-- Regards, Stephan
On 11.4.2013, at 16.07, Stephan von Krawczynski skraw@ithnet.com wrote:
On Thu, 11 Apr 2013 16:00:22 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
Oh, that is _bad_. I cannot use fs permissions because the MTA (postfix) must have write permissions (to the directories) to create the mail files...
The MTA can work as it used to, if it can just set a group-read permission to the files. So your read-only user would belong to that read-only-group. I'm not sure how Postfix assigns permissions, but if it can't do that you could switch to Dovecot LDA/LMTP which can set the group correctly.
On Thu, 11 Apr 2013 16:15:23 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 16.07, Stephan von Krawczynski skraw@ithnet.com wrote:
On Thu, 11 Apr 2013 16:00:22 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
Oh, that is _bad_. I cannot use fs permissions because the MTA (postfix) must have write permissions (to the directories) to create the mail files...
The MTA can work as it used to, if it can just set a group-read permission to the files. So your read-only user would belong to that read-only-group. I'm not sure how Postfix assigns permissions, but if it can't do that you could switch to Dovecot LDA/LMTP which can set the group correctly.
That is not the problem. I can set any type of permission on the mail file itself. Only it does not help because dovecot nevertheless is able to move the mails around or "delete" them by moving to trash box.
-- Regards, Stephan
On 11.4.2013, at 16.24, Stephan von Krawczynski skraw@ithnet.com wrote:
The MTA can work as it used to, if it can just set a group-read permission to the files. So your read-only user would belong to that read-only-group. I'm not sure how Postfix assigns permissions, but if it can't do that you could switch to Dovecot LDA/LMTP which can set the group correctly.
That is not the problem. I can set any type of permission on the mail file itself. Only it does not help because dovecot nevertheless is able to move the mails around or "delete" them by moving to trash box.
No, the idea was to use two UNIX users:
the user that owns the mails and has read-write acces
another read-only user that does not own the mails, has only group-read access. can't do anything at all to the mails.
The directories need to have similar permissions as well (750).
On Thu, 11 Apr 2013 16:35:32 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 16.24, Stephan von Krawczynski skraw@ithnet.com wrote:
The MTA can work as it used to, if it can just set a group-read permission to the files. So your read-only user would belong to that read-only-group. I'm not sure how Postfix assigns permissions, but if it can't do that you could switch to Dovecot LDA/LMTP which can set the group correctly.
That is not the problem. I can set any type of permission on the mail file itself. Only it does not help because dovecot nevertheless is able to move the mails around or "delete" them by moving to trash box.
No, the idea was to use two UNIX users:
the user that owns the mails and has read-write acces
another read-only user that does not own the mails, has only group-read access. can't do anything at all to the mails.
The directories need to have similar permissions as well (750).
That's about as complicated as patching the MTA to auto-create the acl file, which I did now. I'd say global acls would be a nice coming feature ;-)
-- Regards, Stephan
On Thu, 11 Apr 2013 16:00:22 +0300 Timo Sirainen tss@iki.fi wrote:
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
And I just checked another thing: Though setting permissions to 400 the owner still can move mails to trash (seems to be a rename?). That is definitely not read-only.
-- Regards, Stephan
Am 11.04.2013 15:00, schrieb Timo Sirainen:
On 11.4.2013, at 15.07, Stephan von Krawczynski skraw@ithnet.com wrote:
I try to configure dovecot to make all imap accesses read-only for a certain user. I thought this would be possible by creating a global acl file (here "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only semi-easy way to do what you want is using filesystem permissions.
This is something that really should be developed though.. But probably not until v2.3.
i tested somthing "alike" setting acl by using sieve external prog but at last it get to complex , so i did another solution layout but you may try by your own
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Let me explain some more details, that seem important to understand:
I cannot use acl files per folder/mailbox because the MTA creates folders dynamically (re-orders mails in folders). So I really would need some idea to tell dovecot to let a certain user access his mailbox/folders read-only, no matter how many. A global acl _file_ would do that, or an acl-file that work for a whole tree of folders. A global acl directory does not help, because I would have to know the names of every single folder/mailbox to create the correct acl-file in the global directory.
-- Regards, Stephan
Am 11.04.2013 15:05, schrieb Stephan von Krawczynski:
Let me explain some more details, that seem important to understand:
I cannot use acl files per folder/mailbox because the MTA creates folders dynamically (re-orders mails in folders)
why does the MTA that?
normally the MTA should only decide reject or accept a message and deliver it via LMTP to the LDA which can then filter via Sieve or whatever and from this moment on any dynamically created folder would be created in the dovecot world
On Thu, 11 Apr 2013 15:08:31 +0200 Reindl Harald h.reindl@thelounge.net wrote:
Am 11.04.2013 15:05, schrieb Stephan von Krawczynski:
Let me explain some more details, that seem important to understand:
I cannot use acl files per folder/mailbox because the MTA creates folders dynamically (re-orders mails in folders)
why does the MTA that?
normally the MTA should only decide reject or accept a message and deliver it via LMTP to the LDA which can then filter via Sieve or whatever and from this moment on any dynamically created folder would be created in the dovecot world
I cannot further explain the background, you have to believe that there is a good reason for this implementation. It is no standard mail service.
-- Regards, Stephan
participants (4)
-
Reindl Harald
-
Robert Schetterer
-
Stephan von Krawczynski
-
Timo Sirainen