[Dovecot] Lock down Shared Mail Accounts?
On 3/5/2012 1:30 PM, Steve Campbell wrote:
I've been looking at some documentation on shared mail accounts. But I'm getting mixed thoughts on how this can or should be done.
This brings up a question I have been meaning to ask.
One thing I want to do on my new converted system is to implement shared mail. There will be two different scenarios - users sharing 'folders', which looks to be fairly simple using virtual ACL files - but for the other scenario, I'm not sure about a specific requirement we will have...
I want to give multiple people shared access to some actual accounts with all of the special use folders, with the following requirements:
They can all read/reply to new messages as they come in,
They use shared \seen, \replied and \forwarded flags, so once someone else has read/dealt with a message, the others see that,
When they reply to/forward a message, the Sent message gets saved to that accounts 'Sent' folder,
They can *move* messages to other folders in that account (ie, 'file' them), and last
(this is the tricky part)
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
These emails deal with financial transactions (AP and AR issues) and Faxes, thus the requirement to not be able to delete them.
Can this be accomplished with the current state of things? Or would this require some coding? If the latter, could it be done as a plug-in, or would it require changes to the core code?
Thanks,
--
Best regards,
Charles
I want to give multiple people shared access to some actual accounts with all of the special use folders, with the following requirements:
I have done this (unsatisfactorarily) by making it a normal mail account with normal login credentials. Add it like any other mail account. It then satisfies all your requirements, although: behind a nat, on thunderbird and with condstore, I sometimes see read/unread get out of sync... Believed to be a thunderbird bug, but unsure. Easy to resync
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
Have them delivered with only read permissions on the physical files? (Bet that doesn't work very well in practice or other than maildir...)
Interested to hear proper answers...
Ed W
On 7.3.2012, at 18.39, Ed W wrote:
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
Have them delivered with only read permissions on the physical files? (Bet that doesn't work very well in practice or other than maildir...)
The maildir file's read permission doesn't matter, the parent cur/ or new/ directory's write permission matters. And removing those prevents moving mails from new/ to cur/ and from keeping the flag states in the filename.. Not very good.
On 3/7/2012 6:32 AM, Charles Marcus wrote:
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
If you are using ACLs, just don't give them the delete permission? But I guess now that I am thinking about it as I write, you did want them to be able to move the messages (which is really a copy + delete).
So... maybe not.
On 2012-03-07 1:04 PM, Willie Gillespie <wgillespie@es2eng.com> wrote:
On 3/7/2012 6:32 AM, Charles Marcus wrote:
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
If you are using ACLs, just don't give them the delete permission? But I guess now that I am thinking about it as I write, you did want them to be able to move the messages (which is really a copy + delete).
So... maybe not.
Right... although my understanding is that dovecot does indeed use mv (at least on linux) to do moves when using maildir, so maybe there is a way...
I'll wait and see what Timo says about this... no hurry, as I'm still in the design stage, this is just how I'd *like* it to work, but if it won't/can't, I'll figure something else out.
Thanks for the replies so far...
--
Best regards,
Charles
On 7.3.2012, at 15.32, Charles Marcus wrote:
- They can *move* messages to other folders in that account (ie, 'file' them), and last
(this is the tricky part)
- No one other than a designated user or users (Master User(s)? Users in a specified Group?) can delete any messages in this account, in any of the folders.
There is unfortunately no "default ACL" feature currently. Although you could somewhat easily add an ugly hack to the code for that. And I guess it wouldn't be difficult to implement it, maybe by reading it from $mail_root/dovecot-acl-default file or something..
So without code changes you could:
- create all of the necessary folders
- set such ACLs that user can't create any more folders
- disallow expunging in all folders
participants (4)
-
Charles Marcus
-
Ed W
-
Timo Sirainen
-
Willie Gillespie