[Dovecot] Dovecot v1.2 share user Maildir problems with %%h
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
I'm using Dovecot v1.2 9133:f65112bd90b3 with attached config and try to share user Maildirs. The ACLs are working.
However the %%h gives me head aches, well, the location in general:
I've copied the default mail_location and changed its CONTROL and INDEX settings:
namespace shared { ...
location = maildir:%%h/Maildir:CONTROL=/var/cache/dovecot/%i/control/shared/%%u:INDEX=/var/cache/dovecot/%i/index/shared/%%u
}
Now the first wows are that:
a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master instead of /var/run/dovecot/auth-master used by deliver.
My workaround was to symlink /var/run/dovecot/ to $install_prefix/var/run/dovecot/
b) This socket needs to be r/w for every user, which is a security risk as mentioned in the conf and the default permission is 0600.
For deliver I changed the socket attr to permission 0660 and group=mail; for making %%h work I added mail_access_groups=mail
c) The user's mailbox is not found still, because:
2009-06-17 15:04:57 auth(default): Info: master in: USER 1 testusr/INBOX service=internal 2009-06-17 15:04:57 auth(default): Info: auth(?): Invalid username: testusr/INBOX 2009-06-17 15:04:57 auth(default): Info: userdb(?): Username contains disallowed character: 0x2f 2009-06-17 15:04:57 auth(default): Info: master out: NOTFOUND 1
The imap process passes the mailbox to the authentificator, too. Also, it changes the '.' to '/', although rawlog has:
select "shared.testusr.INBOX"
If I allow "/" as userchar, I get:
2009-06-17 15:43:00 auth(default): Info: ldap(testusr/INBOX): Unknown user 2009-06-17 15:43:00 auth(default): Info: master out: NOTFOUND 1
It reallt requests the data of user "testusr/INBOX".
d) If I use
location = maildir:/home/%%u/Maildir:
instead of %%h/Maildir, things work _except_ that some user's %%h != /home/%%u .
==============
Basically I have yet another problem with location in the user-share namespace:
Because one can override the default mail_location for each user, I did so for some users. Some of them even do not have the Maildir. That leads to the problem, that I need one shared namespace for each location template.
There had been a suggestion of a special user-shared namespace a while back. How about to add the base location in the shared-mailboxes.db? So instead of "1" the value is the base of the shared location, e.g. maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? token takes the string from there. Because the path is known from the db now, the other problems mentioned above do no longer apply.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSjj/63WSIuGy1ktrAQLliQf9E/fh9BK+5eeHfiJBwfD1kGfP7AYc4CwE Kj6Snkq/eG05F7VM5TyANDZVNFpGY0WsNkmQHutx3OSfh+gVe2gxNljk7KdISMpC 7+PS1Rsnz+0iqq6ueCbs7LGNQCgZyD9Ne14XTzRymJJElw7MfHh7A6+Zhul+CzTL 4D7owW+vcyOVBMY9G2e978MkzXXWQ0zDBHamjeFm4idx4Bl1sbMOuqpWHCse+sP8 XET58VXOMI1LBsrdgoobXRGojLFxZe7r77lSrTkUprFa3ljOsYIIxOEk6mskELue SAftwNlqbkHMAwZQ0G0rlD6vBdyw7B3sN48yFoLEd/cw1SyttVrCdA== =vC9k -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 17 Jun 2009, Steffen Kaiser wrote:
I'm using Dovecot v1.2 9133:f65112bd90b3 with attached config and try to
The correct changeset is:
changeset: 9127:01fae3737994 branch: HEAD tag: tip user: Timo Sirainen tss@iki.fi date: Mon Jun 15 19:38:30 2009 -0400 summary: acl: Don't assert-crash if removing all rights.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSjkBoXWSIuGy1ktrAQJw7AgAwAkGnsM4Ky+LNR0lqfi09NivEoOYSHPa 0qKn4j6Ljo7yVKtNnv4/sWuQNCkSYRXLsBUEsEJphcNAAvjGPtD1ORmqvqFnL0p1 Nudp6JNWhIP5OEGrjJoZoqsyjiPNgVzDWcvowXy3gN9vGocT5Bf89ievBLKxGiej MyljwDQVTaHA3wTu8Nh5xw1RNqdRZokIdAvvY72iQIYJaFXOHvCnpwZMmar7YXFm QHJnLOzPi2RVsH5zyB+Rc9hlXzVRjv5/8L7rS+1euILWSve8RCbYOti1fGCAc14H 4DZia8seL4KqUOI56Z/n+eJG/dNbUblGzRh8/QZn4fUKs9JhWiZkhg== =jWWM -----END PGP SIGNATURE-----
On Wed, 2009-06-17 at 16:38 +0200, Steffen Kaiser wrote:
I've copied the default mail_location and changed its CONTROL and INDEX settings:
namespace shared { ...
What does this "..." contain? :) Like prefix, separator?
a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master instead of /var/run/dovecot/auth-master used by deliver.
It connects to base_dir/var/run/dovecot/ where base_dir is the setting in dovecot.conf.
b) This socket needs to be r/w for every user, which is a security risk as mentioned in the conf and the default permission is 0600.
It allows looking up userdb data, which is pretty similar to being able to do cat /etc/passwd. So not a huge security risk, but..
For deliver I changed the socket attr to permission 0660 and group=mail; for making %%h work I added mail_access_groups=mail
I would have used a different group than "mail", since it's often used by the system for other things too.
There had been a suggestion of a special user-shared namespace a while back. How about to add the base location in the shared-mailboxes.db? So instead of "1" the value is the base of the shared location, e.g. maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? token takes the string from there. Because the path is known from the db now, the other problems mentioned above do no longer apply.
And when the path is changed in userdb, it points to a wrong location.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 17 Jun 2009, Timo Sirainen wrote:
I've copied the default mail_location and changed its CONTROL and INDEX settings:
namespace shared { ...
What does this "..." contain? :) Like prefix, separator?
My complete conf is attached at the original mail.
a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master instead of /var/run/dovecot/auth-master used by deliver.
It connects to base_dir/var/run/dovecot/ where base_dir is the setting in dovecot.conf.
It's install_prefix. The log says: IMAP(user) [10363]: Error: userdb lookup: connect(/usr/local/dovecot-1.2.rc5unpatched/var/run/dovecot/auth-master) failed: Permission denied
But the conf has:
base_dir: /var/run/dovecot/
Also, auth default | socket | master contains the setting: path: /var/run/dovecot/auth-master
Deliver works with this conf without the symlink.
I would have used a different group than "mail", since it's often used by the system for other things too.
Hmm, I'll investigate where the group "mail" comes from.
There had been a suggestion of a special user-shared namespace a while back. How about to add the base location in the shared-mailboxes.db? So instead of "1" the value is the base of the shared location, e.g. maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? token takes the string from there. Because the path is known from the db now, the other problems mentioned above do no longer apply.
And when the path is changed in userdb, it points to a wrong location.
Well,
a) as there is no way to return/use the mail_location of the sharing user, the location is possibly wrong anyway, because mail_location is not neccessarily derived from the user's home in the same way always.
b) I considered mail_location stable after setup. But you are right, that this is not neccessaily so. One would need some sort of book keeping to keep the redundant data in shared-mailboxes.db in sync.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSjnwQ3WSIuGy1ktrAQJbxAf+J7W98bPuWZflJ63hg9KPJ4lH1Mi3KhQv AtS0bGMz9RIp7hFm/a9atc44lOg2d52f8HV0hTbPI+FtmtC4sFHDDJLqx0w0CxN6 Tid8gC90H2F8Kiv4c2j9mwu0yyT+B7Mw7R1fmb75O3jK+daTeJdW9Tv5zEmcEMY3 NEYd0yobGYwBXABtSK1TIYLQWh64fgVIj+gx3pVW05Jx8g7tjwYadfO1btm/ntoT 8u8qN9REwyFRSXevIG+bdrcUfwSYI+DZ2SzYqAWKrYeMdf8hTCHTdAsSB5qcLkdU xmalUapMTRgB+ktLyBG0K1EP9sJC7LWeqRxLTk9q9jEFx6wm6wJclA== =PAxW -----END PGP SIGNATURE-----
On Thu, 2009-06-18 at 09:44 +0200, Steffen Kaiser wrote:
It's install_prefix. The log says: IMAP(user) [10363]: Error: userdb lookup: connect(/usr/local/dovecot-1.2.rc5unpatched/var/run/dovecot/auth-master) failed: Permission denied
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/a0fcbb79ef66
Fixed also your primary problem: http://hg.dovecot.org/dovecot-1.2/rev/c4ac007d4e0b
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 21 Jun 2009, Timo Sirainen wrote:
many thanks! The ACL problems went away with rc6.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSj+CoHWSIuGy1ktrAQLbHwgAnRbbxv13aW0MLeIYFCiymoOJoBz7SARt KS6RVuyyn7yfEZxYAXi3rWIPvUI+KhNGgwvaPuGI76g9Unaj/01TpqTwBbpt4rVh U5I19SKfoKDQdByFy5pzrdEyHwNR1fUtFBqezIUrVSQpXgcMPPx/GVaWSG8In/HD D39UwRx9zMBXbkpM2f4wuY6tMq1pxT2threBvrFBlyA4K1fB4lGLjemXlUtMzpQJ 4lv43fJt70K44ULDaDR+sgXWqBCGi6KNA/MrkHlx/XXPtvjkGYU7b+sL2NrBI8Cb eL11oKMfcTYnLsfg+iR/CEUJcioV3IqDyeCNIEtS3r/doAiQmCmnWQ== =KHMn -----END PGP SIGNATURE-----
participants (2)
-
Steffen Kaiser
-
Timo Sirainen