[Dovecot] Problems with acl and shared namespace
Hi, i'm a dovecot-newbie and also new at this mailinglist. I'm try to configure an mailserver with dovecot2, postfix and postfixadmin. At this time i struggle with acl and shared namespace.
My goal is, that every user get an archive-area on an separate storage without quota (quota isn't running yet). With: namespace { type = private separator = / prefix = "archiv/%u/" location = maildir:/var/data/archiv/%d/%n:INDEX=/var/data/indexes/archiv/%u:LAYOUT=fs inbox = no subscriptions = yes list = yes }
I see the folder, but i can't subscribe them (with thunderbird, or roundcube). With roundcube i can add a new folder below - so i use the trick autocreate5 = archiv/%u/archiv autosubscribe5 = archiv/%u/archiv
This is as workaround ok - or is this a "must be"?.
But the user should also be able to share parts of the archiv-mailbox with other users (partly on different domains). If i change the type of namespace to shared, i can't access the archiv-folder.
The logfile shows problems with the acl (but also with private namespace): Jun 30 11:15:11 imap(test@example.com): Debug: Namespace : type=shared, prefix=archiv/test@example.com/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/data/archiv/example.com/test:INDEX=/var/data/indexes/archiv/test@example.com:LAYOUT=fs Jun 30 11:15:11 imap(test@example.com): Debug: fs: root=/var/data/archiv/example.com/test, index=/var/data/indexes/archiv/test@example.com, control=, inbox= Jun 30 11:15:11 imap(test@example.com): Debug: acl: initializing backend with data: vfile Jun 30 11:15:11 imap(test@example.com): Debug: acl: acl username = test@example.com Jun 30 11:15:11 imap(test@example.com): Debug: acl: owner = 0 Jun 30 11:15:11 imap(test@example.com): Debug: acl vfile: Global ACL directory: (none) Jun 30 11:15:11 imap(test@example.com): Debug: Namespace : Using permissions from /var/data/mail/example.com/test: mode=0700 gid=-1 Jun 30 11:15:11 imap(test@example.com): Debug: acl vfile: file /var/data/archiv/example.com/test/dovecot-acl not found Jun 30 11:15:11 imap(test@example.com): Debug: autocreate: Failed to create mailbox archiv: Permission denied Jun 30 11:15:11 imap(test@example.com): Debug: Namespace archiv/test@example.com/: Using permissions from /var/data/archiv/example.com/test: mode=0700 gid=-1 Jun 30 11:15:11 imap(test@example.com): Debug: acl vfile: file /var/data/mail/example.com/test/dovecot-acl not found
I'm wondering about "...dovecot-acl not found" because dovecot create an file "dovecot-acl-list" : # ls -l /var/data/archiv/example.com/test/ drwx------ 5 dovecot dovecot 4096 30. Jun 10:30 archiv -rw------- 1 dovecot dovecot 0 30. Jun 10:30 dovecot-acl-list
Must the acl first initialized? My first try fails also: doveadm acl set -u test@example.com archiv/test@example.com/archiv test@example.com lrw doveadm(test@example.com): Fatal: Invalid ID: test@example.com
Not clear for me, what kind of id doveadm needs...
I use 2.0.13 for testing. I put my config at the end of the mail.
I'm happy if someone can hit me in the right direction, where i make the mistake.
Best regards
Udo
# 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.39-2.slh.1-aptosid-amd64 x86_64 Debian wheezy/sid auth_debug = yes auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes auth_verbose_passwords = plain first_valid_gid = 119 first_valid_uid = 110 info_log_path = /var/log/dovecot.log last_valid_uid = 119 lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 119 mail_plugins = acl autocreate quota mail_uid = 110 mbox_very_dirty_syncs = yes namespace { inbox = yes list = yes location = maildir:/var/data/mail/%d/%n:INDEX=/var/data/indexes/mail/%u:LAYOUT=fs prefix = separator = / subscriptions = yes type = private } namespace { inbox = no list = yes location = maildir:/var/data/archiv/%d/%n:INDEX=/var/data/indexes/archiv/%u:LAYOUT=fs prefix = archiv/%u/ separator = / subscriptions = yes type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile acl_shared_dict = file:/var/data/dovecot/shared-mailboxes autocreate = Trash autocreate2 = Spam autocreate3 = Drafts autocreate4 = Sent autocreate5 = archiv/%u/archiv autosubscribe = Trash autosubscribe2 = Spam autosubscribe3 = Drafts autosubscribe4 = Sent autosubscribe5 = archiv/%u/archiv quota = dict:User quota::proxy::quota quota_rule2 = Trash:storage=+55M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap lmtp pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postdrop mode = 0660 user = postfix } unix_listener auth-userdb { group = dovecot mode = 0660 user = dovecot } } service dict { unix_listener dict { group = dovecot mode = 0660 user = dovecot } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } ssl_cert =
Hi, i'm answer myself to give other people an hint which has an similar problem (or better say similar "none experiences" with dovecot).
Am 30.06.2011 12:01, schrieb Udo Lembke:
Hi, i'm a dovecot-newbie and also new at this mailinglist. I'm try to configure an mailserver with dovecot2, postfix and postfixadmin. At this time i struggle with acl and shared namespace. ...
At this time i'm know a little bit more (it's allways good to read the doku). I change my layout to: privat mailbox, privat archive area and public shared area (because of trouble to see shared folder from other accounts). The public shared area are symlinked below the archiv-area: ls -lsa archiv/example.org/test4/ insgesamt 16 4 drwx------ 3 dovecot dovecot 4096 5. Jul 11:40 . 4 drwx------ 3 dovecot dovecot 4096 5. Jul 11:27 .. 4 drwx------ 2 dovecot dovecot 4096 5. Jul 11:27 archiv 4 -rw------- 1 dovecot dovecot 108 5. Jul 11:40 dovecot-acl-list 0 lrwxrwxrwx 1 root root 16 5. Jul 11:27 public -> /var/data/public
The problem is, that the acls are not reconiced - the acl should forbid an access, but access is possible.
This show the telnet imap-session: . list "" "*"
- LIST (\HasNoChildren) "/" "Drafts"
- LIST (\HasNoChildren) "/" "Spam"
- LIST (\HasNoChildren) "/" "Sent"
- LIST (\HasNoChildren) "/" "Trash"
- LIST (\HasNoChildren) "/" "INBOX"
- LIST (\Noselect \HasChildren) "/" "public"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public/kunde_2"
- LIST (\HasNoChildren) "/" "archiv/test4@example.org/public/kunde_2/Kundenmails"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public/kunde_3"
- LIST (\HasNoChildren) "/" "archiv/test4@example.org/public/kunde_3/Kundenmails"
- LIST (\Noselect \HasNoChildren) "/" "archiv/test4@example.org/archiv" . OK List completed.
During the listing i got the the error: Jul 05 12:21:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_2 Jul 05 12:21:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_2/Kundenmails Jul 05 12:21:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_3 Jul 05 12:21:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_3/Kundenmails
This ist right, but why was the mailboxes showed (and also full accessible)? The acl-files: cat public/dovecot-acl #anyone lr
cat public/kunde_2/dovecot-acl user=ulembke@example.org lrwstipeka user=test3@example.org lrwstipeka
cat public/kunde_2/Kundenmails/dovecot-acl user=test3@example.org akeilprwts user=ulembke@example.org akeilprwts
cat public/kunde_3/dovecot-acl user=ulembke@example.org lrwstipeka user=test2@example.org lrwstipeka anyone
The acl-entry in the config: plugin { acl = vfile } # To let users LIST mailboxes shared by other users, Dovecot needs a # shared mailbox dictionary. For example: plugin { acl_shared_dict = file:/var/data/dovecot/shared-mailboxes/%u }
I have read, that acl_shared_dict with an sql-backend work better like vfile. Use anybody normal vfile for that?
The public-namespace: namespace { type = public separator = / prefix = "public/" location = maildir:/var/data/public:INDEX=/var/data/indexes/public/%u:LAYOUT=fs inbox = no hidden = no subscriptions = no list = yes }
The other config should the same like in the first post.
Any hint?
Best regards
Udo (perhaps i stick to cyrus)
The problem with not reconiced acl-files are solved.
It's an bad idea to use a link from one shared/public area to another.
Am 05.07.2011 12:47, schrieb Udo Lembke:
... The public shared area are symlinked below the archiv-area: ls -lsa archiv/example.org/test4/ insgesamt 16 4 drwx------ 3 dovecot dovecot 4096 5. Jul 11:40 . 4 drwx------ 3 dovecot dovecot 4096 5. Jul 11:27 .. 4 drwx------ 2 dovecot dovecot 4096 5. Jul 11:27 archiv 4 -rw------- 1 dovecot dovecot 108 5. Jul 11:40 dovecot-acl-list 0 lrwxrwxrwx 1 root root 16 5. Jul 11:27 public -> /var/data/public
After removing the link, the list command show the right result:
The problem is, that the acls are not reconiced - the acl should forbid an access, but access is possible.
This show the telnet imap-session: . list "" "*"
- LIST (\HasNoChildren) "/" "Drafts"
- LIST (\HasNoChildren) "/" "Spam"
- LIST (\HasNoChildren) "/" "Sent"
- LIST (\HasNoChildren) "/" "Trash"
- LIST (\HasNoChildren) "/" "INBOX"
- LIST (\Noselect \HasChildren) "/" "public"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public/kunde_2"
- LIST (\HasNoChildren) "/" "archiv/test4@example.org/public/kunde_2/Kundenmails"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org/public/kunde_3"
- LIST (\HasNoChildren) "/" "archiv/test4@example.org/public/kunde_3/Kundenmails"
- LIST (\Noselect \HasNoChildren) "/" "archiv/test4@example.org/archiv" . OK List completed.
. list "" "*"
- LIST (\HasNoChildren) "/" "Drafts"
- LIST (\HasNoChildren) "/" "Spam"
- LIST (\HasNoChildren) "/" "Sent"
- LIST (\HasNoChildren) "/" "Trash"
- LIST (\HasNoChildren) "/" "INBOX"
- LIST (\Noselect \HasChildren) "/" "public"
- LIST (\Noselect \HasChildren) "/" "archiv/test4@example.org"
- LIST (\Noselect \HasNoChildren) "/" "archiv/test4@example.org/archiv" . OK List completed.
Udo
participants (1)
-
Udo Lembke