[Dovecot] Global ACL configuration problems: mailboxes not visible, set ACLs not honoured
Hi list,
I am having trouble getting global ACLs to work correctly. This is, I assume, an issue separate from the one I reported a few days ago [1], where the imap process crashes when creating subfolders of folders with an ACL set.
As you can see from my 'dovecot -n' output below I have three namespaces; two private ("Backup" and the default, empty one) and one public ("Public"). I also use the autocreate plugin to create a few standard folders. Those folders, along with some others, should have some special permissions and restrictions in place. I.e. messages must not be deletable, the mailbox itself may not be deleted, etc.
I want to use global ACLs so that I don't have to put a dovecot-acl file in every folder that I want to have an ACL set. Thus, according to the wiki, if have set
acl:vfile:/etc/dovecot/acls
I can create files named "Sent", "Trash", "Drafts", "INBOX.Spam" and "Backup.sent", "Backup.received", "Public.Spam", "Public.Ham" in the directory /etc/dovecot/acls. These files contain the ACL, such as "owner lrp", "owner lrwsipk" and "authenticated lrwstipk". Any and all "dovecot-acl-list" files have been deleted before testing and reproducing that problem again just now.
Is there anything more to it? I ask, because I can't seem to get it to work correctly using this approach with global ACLs. Problems include:
- Can't get the mailboxes "Spam" and "Ham" under the "Public" namespace to show up in the mail client (Thunderbird, KMail, Horde/IMP) at all. These have the ACL "authenticated lrwstipk" set so the should be visible to authenticated clients, shouldn't they? All I see is the namespace with no mailboxes beneath it.
- Deleting messages from the "Backup.sent" or "Backup.received" mailboxes is possible from Thunderbird, KMail and Horde/IMP, despite having the ACL "owner rlp" set, which, if I understand correctly, should only allow users to lookup, read and post to the mailing list via LDA/Sieve.
What am I doing wrong? It seems to me that the global ACL files for namespaces other than the empty one are not at all considered? Do I have to use another notation for the ACL file names?
Any help is much appreciated.
Thanks in advance!
Configuration information follows.
Contents of /etc/dovecot/acl
Backup.received owner rlp Backup.sent owner rlp Drafts owner lrwstipk INBOX.Spam owner lrwstipk Public.Ham authenticated lrwstipk Public.Spam authenticated lrwstipk Sent owner lrwstipk Trash owner lrwstipk
'dovecot -n'
# 1.2.4: /usr/local/etc/dovecot.conf # OS: Linux 2.6.26-2-686 i686 Debian 5.0.2 log_timestamp: %Y-%m-%d %H:%M:%S protocols: managesieve imap imaps pop3 pop3s login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_executable(managesieve): /usr/local/libexec/dovecot/managesieve-login mail_access_groups: mail mail_privileged_group: mail mail_location: maildir:~/Maildir mail_drop_priv_before_exec: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_executable(managesieve): /usr/local/libexec/dovecot/managesieve mail_plugins(default): autocreate acl mail_plugins(imap): autocreate acl mail_plugins(pop3): mail_plugins(managesieve): mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 mail_plugin_dir(managesieve): /usr/local/lib/dovecot/managesieve namespace: type: public separator: . prefix: Public. location: maildir:/var/mail/public:CONTROL=~/Maildir/control/public:INDEX=~/Maildir/index/public list: yes namespace: type: private separator: . prefix: Backup. location: maildir:~/Maildir-backup hidden: yes list: no namespace: type: private separator: . inbox: yes list: yes subscriptions: yes lda: log_path: info_log_path: auth_socket_path: /var/run/dovecot/auth-master postmaster_address: postmaster@mailtest0.rise-s.com mail_plugins: sieve acl auth default: mechanisms: plain login passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: static args: uid=vmail gid=vmail home=/var/vmail/%Ld/%Ln allow_all_users=yes socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail plugin: sieve: ~/.dovecot.sieve sieve_dir: ~/sieve sieve_global_path: /etc/dovecot/sieve/default.sieve sieve_global_dir: /etc/dovecot/sieve/global/ sieve_before: /etc/dovecot/sieve/before/ autocreate: Trash autocreate2: Drafts autocreate3: Sent autocreate4: INBOX.Spam autosubscribe: Trash autosubscribe2: Drafts autosubscribe3: Sent autosubscribe4: INBOX.Spam acl: vfile:/etc/dovecot/acl
[1] http://dovecot.org/list/dovecot/2009-August/042467.html
Andreas Ntaflos Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
On Tue, Sep 01, 2009 at 11:34:16AM +0200, Andreas Ntaflos wrote:
Is there anything more to it? I ask, because I can't seem to get it to work correctly using this approach with global ACLs. Problems include:
- Can't get the mailboxes "Spam" and "Ham" under the "Public" namespace to show up in the mail client (Thunderbird, KMail, Horde/IMP) at all. These have the ACL "authenticated lrwstipk" set so the should be visible to authenticated clients, shouldn't they? All I see is the namespace with no mailboxes beneath it.
Hi Andreas,
did you try with enabling the logging option 'mail_debug = yes'? It should then verbosely log ACLs read while accessing the folders. How about the files 'dovecot-acl' and 'dovecot-acl-list'? Are they present in your public root? The latter should have been automatically created once the subdirs have working ACLs.
Regards Thomas
participants (2)
-
Andreas Ntaflos
-
Thomas Leuxner