[Dovecot] Sharing all mailboxes and userdb LDAP attrs
Hello all,
I'm setting up a Dovecot environment here, version 1.2.15 on Debian 6.0.2 "squeeze". This is actually a complete revamp of the previous setup we have in-place here, built from the ground up with updated versions of all involved software.
The operators have told me that they use some scripts hacked up by a previous sysadmin to give a single "admin" account full access to all user mail. That is, if any user runs into problems, they: 1. Call in; 2. The operator logs in as the admin user; 3. Operator performs maintenance duties on user email.
I've been researching the possibility of using Dovecot shared namespaces to perform that very same task in a better fashion in this new server. So far, I've been able to globally share users' INBOXes and view them from a single admin account (through user= entries on global acl's). My ultimate goal, however, is to have access to all user mailboxes with any user that's a member of a particular group, adding all operators to that group as needed.
First question, then, is this one: how can I give global access to all user mailboxes? I've read that it's possible to give access to all subfolders of a particular folder throught the use of a .DEFAUL acl. That didn't seem to work with the uppermost directory, however. Here's what I tried:
root@mail:/etc/dovecot# dovecot -a | grep acl: acl: vfile:/etc/dovecot/acl:cache_secs=300 root@mail:/etc/dovecot# cat acl/.DEFAULT owner lrwstipekxa user=admin lrwstipekxa
Renaming .DEFAULT to INBOX does achieve the intended goal, but only for the INBOX folder evidently.
Second question is somewhat simpler. So far I've been using a single admin user, but I'd like to switch to using an admin group in the future. I've read that the best way to do that would be to use the user_attrs entry in my dovecot-ldap.conf file, while using a userdb ldap. The groups should be strings separated by commas in the appropriate attribute, from what I understand.
Is there any readily-available or recommended schema I can use to fill up that attribute? I'm using the default ones (plus samba.schema) but I've seen mostly space to fit GID's, not group names.
Thanks in advance, fbscarel
PS: Here's my dovecot -a output, should it be needed.
root@mailaluno:~# dovecot -a # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2 base_dir: /var/run/dovecot log_path: /var/log/dovecot/error.log info_log_path: /var/log/dovecot/info.log log_timestamp: %Y-%m-%d %H:%M:%S syslog_facility: mail protocols: imap pop3 pop3s managesieve listen(default): * listen(imap): * listen(pop3): * listen(managesieve): localhost:2000 ssl_listen: 127.0.0.1 ssl: yes ssl_ca_file: ssl_cert_file: /etc/ssl/certs/dovecot.pem ssl_key_file: /etc/ssl/private/dovecot.pem ssl_key_password: ssl_parameters_regenerate: 168 ssl_cipher_list: ssl_cert_username_field: commonName ssl_verify_client_cert: no disable_plaintext_auth: no verbose_ssl: yes shutdown_clients: yes nfs_check: yes version_ignore: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login login_user: dovecot login_greeting: Server ready. login_log_format_elements: user=<%u> method=%m rip=%r lip=%l %c login_log_format: %$: %s login_process_per_connection: no login_chroot: yes login_trusted_networks: login_process_size: 64 login_processes_count: 5 login_max_processes_count: 128 login_max_connections: 256 valid_chroot_dirs: mail_chroot: max_mail_processes: 512 mail_max_userip_connections: 10 verbose_proctitle: no first_valid_uid: 108 last_valid_uid: 0 first_valid_gid: 112 last_valid_gid: 0 mail_access_groups: mail_privileged_group: mail mail_uid: mail_gid: mail_location: mail_cache_fields: mail_never_cache_fields: imap.envelope mail_cache_min_mail_count: 0 mailbox_idle_check_interval: 30 mail_debug: yes mail_full_filesystem_access: no mail_max_keyword_length: 50 mail_save_crlf: no mmap_disable: no dotlock_use_excl: yes fsync_disable: no mail_nfs_storage: no mail_nfs_index: no mailbox_list_index_disable: yes lock_method: fcntl maildir_stat_dirs: no maildir_copy_with_hardlinks: yes maildir_copy_preserve_filename: no maildir_very_dirty_syncs: no mbox_read_locks: fcntl mbox_write_locks: fcntl dotlock mbox_lock_timeout: 300 mbox_dotlock_change_timeout: 120 mbox_min_index_size: 0 mbox_dirty_syncs: yes mbox_very_dirty_syncs: no mbox_lazy_writes: yes dbox_rotate_size: 2048 dbox_rotate_min_size: 16 dbox_rotate_days: 1 mail_drop_priv_before_exec: no mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_process_size: 256 mail_plugins(default): quota imap_quota trash mail_log acl imap_acl mail_plugins(imap): quota imap_quota trash mail_log acl imap_acl mail_plugins(pop3): quota mail_log mail_plugins(managesieve): mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve mail_log_prefix: %Us(%u): mail_log_max_lines_per_sec: 0 imap_max_line_length: 65536 imap_capability: imap_client_workarounds: imap_logout_format: bytes=%i/%o imap_id_send: imap_id_log: imap_idle_notify_interval: 120 pop3_no_flag_updates: no pop3_enable_last: no pop3_reuse_xuidl: no pop3_save_uidl: no pop3_lock_session: no pop3_uidl_format: %08Xu%08Xv pop3_client_workarounds: pop3_logout_format: top=%t/%p, retr=%r/%b, del=%d/%m, size=%s dict_db_config: dict_process_count: 1 managesieve_max_line_length: 65536 managesieve_logout_format: bytes=%i/%o managesieve_implementation_string: dovecot namespace: type: private separator: / prefix: location: maildir:/vmail/%Ln/Maildir alias_for: inbox: yes hidden: no list: yes subscriptions: yes namespace: type: shared separator: / prefix: shared/%%n/ location: maildir:/vmail/%%n/Maildir:INDEX=/vmail/%n/Maildir/shared/%%n alias_for: inbox: no hidden: no list: yes subscriptions: no lda: postmaster_address: xxx@xxx mail_plugins: quota sieve trash acl auth default: mechanisms: plain login realms: default_realm: cache_size: 0 cache_ttl: 3600 cache_negative_ttl: 3600 executable: /usr/lib/dovecot/dovecot-auth user: vmail chroot: username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: %Lu master_user_separator: * anonymous_username: anonymous krb5_keytab: gssapi_hostname: winbind_helper_path: /usr/bin/ntlm_auth failure_delay: 2 verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no use_winbind: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: passwd-file args: /etc/dovecot/passwd.masterusers deny: no pass: no master: yes passdb: driver: shadow args: deny: no pass: no master: no passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf deny: no pass: no master: no userdb: driver: passwd args: userdb: driver: static args: uid=vmail gid=vmail home=/vmail/%Ln allow_all_users=yes socket: type: listen master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail plugin: quota: maildir:User quota quota_rule: *:storage=1G quota_rule2: Trash:storage=100M acl: vfile:/etc/dovecot/acl:cache_secs=300 acl_shared_dict: file:/vmail/shared_mboxes trash: /etc/dovecot/dovecot-trash.conf mail_log_events: delete mailbox_delete mail_log_fields: uid box msgid size sieve: ~/.dovecot.sieve sieve_dir: ~/sieve sieve_before: /vmail/default.sieve
On 2011-08-19 12:14 PM, Felipe Scarel fbscarel@gmail.com wrote:
I'm setting up a Dovecot environment here, version 1.2.15 on Debian 6.0.2 "squeeze". This is actually a complete revamp of the previous setup we have in-place here, built from the ground up with updated versions of all involved software.
The operators have told me that they use some scripts hacked up by a previous sysadmin to give a single "admin" account full access to all user mail. That is, if any user runs into problems, they: 1. Call in; 2. The operator logs in as the admin user; 3. Operator performs maintenance duties on user email.
Isn't this what master users are for?
http://wiki2.dovecot.org/Authentication/MasterUsers
--
Best regards,
Charles
You know when you ask that stupid question and then realize you had it all along? Duh... And to top it off, I HAVE configured a master user on my Dovecot install and wasn't using it... man, do I feel stupid now! :)
Thanks a bunch Charles!
On Fri, Aug 19, 2011 at 13:44, Charles Marcus CMarcus@media-brokers.comwrote:
On 2011-08-19 12:14 PM, Felipe Scarel fbscarel@gmail.com wrote:
I'm setting up a Dovecot environment here, version 1.2.15 on Debian 6.0.2 "squeeze". This is actually a complete revamp of the previous setup we have in-place here, built from the ground up with updated versions of all involved software.
The operators have told me that they use some scripts hacked up by a previous sysadmin to give a single "admin" account full access to all user mail. That is, if any user runs into problems, they: 1. Call in; 2. The operator logs in as the admin user; 3. Operator performs maintenance duties on user email.
Isn't this what master users are for?
http://wiki2.dovecot.org/Authentication/MasterUsers
--
Best regards,
Charles
participants (2)
-
Charles Marcus
-
Felipe Scarel