[Dovecot] Debugging IMAP ACLs
Hello,
I upgraded my server to 1.2.4 and now I'm trying to implement ACL support to use with Bynari Insight Connector. Starting out with the wiki page on shared namespaces from http://wiki.dovecot.org/SharedMailboxes/Shared I tried to implement shared mailbox support so that my customers can enjoy more exhange-like qualities with outlook.
However I am not sure if the ACLs or Shared Namespaces are really working. I sure would like some help debugging ACL requests by clients, and the configuration I did.
Thanks, Kerem
Here is the run down of my configuration, if I have screwed up somewhere.
*dovecot -n* # 1.2.4: /usr/local/etc/dovecot.conf # OS: FreeBSD 6.2-STABLE i386 base_dir: /var/run/dovecot/ log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot-debug.log protocols: imap imaps pop3 pop3s disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting: Kupyazilim IMAPS/POP3S Server - Dovecot ready. verbose_proctitle: yes first_valid_uid: 100 first_valid_gid: 6 mail_privileged_group: mail mail_location: mbox:~/mail/:INBOX=/usr/home/vmail/%d/%u mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): quota mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 imap_client_workarounds(default): outlook-idle delay-newmail tb-extra-mailbox-sep imap_client_workarounds(imap): outlook-idle delay-newmail tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh namespace: type: private separator: / inbox: yes list: yes subscriptions: yes namespace: type: shared separator: / prefix: shared/%%u/ location: mbox:/usr/home/vmail/%d/%u:INDEX=/usr/home/vmail/shared/%%u list: children lda: postmaster_address: postmaster@kupyazilim.com.tr mail_plugins: quota log_path: /var/log/dovecot-deliver.log info_log_path: /var/log/dovecot-deliver.log auth default: mechanisms: plain login user: nobody passdb: driver: sql args: /usr/local/etc/dovecot-sql.conf userdb: driver: sql args: /usr/local/etc/dovecot-sql.conf userdb: driver: prefetch socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: mail master: path: /var/run/dovecot/auth-master mode: 432 user: vmail group: mail plugin: acl_shared_dict: proxy::acl dict: quota: maildir:storage=10240:messages=1000 trash: /usr/local/etc/trash.conf acl: mysql:/usr/local/etc/dovecot-dict-sql.conf * cat /usr/local/etc/dovecot-acl.conf *
# mail_location copied from dovecot.conf for reference only # # mail_location: mbox:~/mail/:INBOX=/usr/home/vmail/%d/%u # note: it is %d/%u here but only %u in dovecot-sql.conf
# You need to create also a private namespace: namespace private { separator = / prefix = #location defaults to mail_location. inbox = yes }
namespace shared { separator = / prefix = shared/%%u/ #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u location = mbox:/usr/home/vmail/%d/%u:INDEX=/usr/home/vmail/shared/%%u subscriptions = no list = children }
# Set ACL to SQL Server and Reference sql-dictionary # Table implemented in mysql:/postfix/user_shares
plugin { acl_shared_dict = proxy::acl }
dict { acl = mysql:/usr/local/etc/dovecot-dict-sql.conf }
*cat /usr/local/etc/dovecot-dict-sql.conf *
map { pattern = shared/shared-boxes/user/$to/$from table = user_shares value_field = dummy
fields { from_user = $from to_user = $to } }
-- Kerem Erciyes Sistem Danismani http://proje.keremerciyes.com
kerem.erciyes@gmail.com +90 532 737 05 83
On Oct 6, 2009, at 7:24 AM, Kerem Erciyes wrote:
mail_location: mbox:~/mail/:INBOX=/usr/home/vmail/%d/%u
I don't think I've ever tried shared mailboxes with mbox format
before, no idea if it even works..
namespace: type: shared separator: / prefix: shared/%%u/ location: mbox:/usr/home/vmail/%d/%u:INDEX=/usr/home/vmail/shared/%%u
This doesn't really look right. Should probably be more like:
location = mbox:%%h/mail:INBOX=/usr/home/vmail/%%d/%%u:INDEX=/usr/home/ vmail/shared/%%u
Hi Timo,
On Tue, Oct 6, 2009 at 4:39 PM, Timo Sirainen <tss@iki.fi> wrote:
On Oct 6, 2009, at 7:24 AM, Kerem Erciyes wrote:
mail_location: mbox:~/mail/:INBOX=/usr/home/vmail/%d/%u
I don't think I've ever tried shared mailboxes with mbox format before, no idea if it even works..
Is there any way to trace ACL commands isssued by the client? Or should they pop up in debug log if ACLs are active?
I tried via telnet to issue imap acl commands and all I could get to work was NAMESPACE command. I think you are right, and ACLs are not supported with mbox, or there is something wrong with my setup. Yet I can see the namespace defined in the configuration via NAMESPACE command.
telnet localhost 143 Trying 127.0.0.1... Connected to localhost Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Kupyazilim IMAPS/POP3S Server - Dovecot ready.
a05 CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH QUOTA STARTTLS AUTH=PLAIN AUTH=LOGIN a05 OK Capability completed.
a08 login "*****" "*****" a08 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH QUOTA] Logged in
a09 MYRIGHTS a09 BAD Error in IMAP command MYRIGHTS: Unknown command.
a10 GETACL "INBOX" a10 BAD Error in IMAP command GETACL: Unknown command.
a11 SETACL Inbox "proje@*******.com" +s a11 BAD Error in IMAP command SETACL: Unknown command.
a13 NAMESPACE
- NAMESPACE (("" "/")) (("shared/" "/")) NIL a13 OK Namespace completed.
namespace:
type: shared separator: / prefix: shared/%%u/ location: mbox:/usr/home/vmail/%d/%u:INDEX=/usr/home/vmail/shared/%%u
This doesn't really look right. Should probably be more like:
location = mbox:%%h/mail:INBOX=/usr/home/vmail/%%d/%%u:INDEX=/usr/home/vmail/shared/%%u
Sorry, my bad at 3:00 AM. It is fixed now.
-- Kerem Erciyes Sistem Danismani http://proje.keremerciyes.com
kerem.erciyes@gmail.com +90 532 737 05 83
Am 06.10.2009 um 16:04 schrieb Kerem Erciyes:
a08 login "*****" "*****" a08 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH QUOTA] Logged ina09 MYRIGHTS a09 BAD Error in IMAP command MYRIGHTS: Unknown command.
a10 GETACL "INBOX" a10 BAD Error in IMAP command GETACL: Unknown command.
Add 'imap_acl' to the plugins section to activate it:
mail_plugins: imap_acl
Regards Thomas
On Tue, 2009-10-06 at 17:04 +0300, Kerem Erciyes wrote:
I don't think I've ever tried shared mailboxes with mbox format before, no idea if it even works..
Is there any way to trace ACL commands isssued by the client? Or should they pop up in debug log if ACLs are active?
http://wiki.dovecot.org/Debugging/Rawlog could be useful.
Hi,
Well seems I have a problem. When I enable the imap_acl plugin dovecot will not start.
Edlopen(/usr/local/lib/dovecot/imap/lib02_imap_acl_plugin.so) failed: /usr/local/lib/dovecot/imap/lib02_imap_acl_plugin.so: Undefined symbol "acl_mailbox_right_lookup" FCouldn't load required plugins Error: imap dump-capability process returned 89 Fatal: Invalid configuration in /usr/local/etc/dovecot.conf
Do you think this is related to mbox instead of maildir setup that we have. If so, I think I will start by converting to maildirs from mbox and then go on testing the ACL and Shared Namespace setups.
Regards, Kerem
On Tue, Oct 6, 2009 at 5:37 PM, Timo Sirainen <tss@iki.fi> wrote:
I don't think I've ever tried shared mailboxes with mbox format before, no idea if it even works..
Is there any way to trace ACL commands isssued by the client? Or should
On Tue, 2009-10-06 at 17:04 +0300, Kerem Erciyes wrote: they
pop up in debug log if ACLs are active?
http://wiki.dovecot.org/Debugging/Rawlog could be useful.
-- Kerem Erciyes Sistem Danismani http://proje.keremerciyes.com
kerem.erciyes@gmail.com +90 532 737 05 83
On Tue, 2009-10-06 at 18:26 +0300, Kerem Erciyes wrote:
Well seems I have a problem. When I enable the imap_acl plugin dovecot will not start.
Edlopen(/usr/local/lib/dovecot/imap/lib02_imap_acl_plugin.so) failed: /usr/local/lib/dovecot/imap/lib02_imap_acl_plugin.so: Undefined symbol "acl_mailbox_right_lookup"
Looks like you didn't already have acl plugin enabled, so add it too. Hmm. Maybe these plugins could have a "dependency" setting that complains about missing dependencies or adds them automatically..
Do you think this is related to mbox instead of maildir setup that we have. If so, I think I will start by converting to maildirs from mbox and then go on testing the ACL and Shared Namespace setups.
I think that would be a good idea in any case. :)
participants (3)
-
Kerem Erciyes
-
Thomas Leuxner
-
Timo Sirainen