[Dovecot] read only maildir
Hello All,
I try to set up a read only maildir just as in the wiki, to no avail. The extra (public) namespace shows up but I can not susbscribe to it (in thunderbird) or if I change to that "directory" (in mutt), it is empty. Is it the problem mentioned in the wiki (SharedMailboxes#Subscriptions)? If yes, how can I see/use a folder which is not subscribeable?
Any help would be greatly appreciated.
Regards, A.
"Egy anya oda se bagózik a megjelenésedre. Szerinte gyönyörű vagy és punktum." Meglepetéskönyvek anyák napjára. http://ad.adverticum.net/b/cl,1,6022,162660,225668/click.prm
Nagyon Almos wrote:
The extra (public) namespace shows up but I can not susbscribe to it (in thunderbird) or
If it's read-only, then your user can't write the 'subscriptions' file; as root, edit that file and manually insert the subscription, then your clients should pick it up.
-te
-- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com
The ACL documentation is at http://wiki.dovecot.org/ACL is a bit vague... I'd be happy to update it myself, but I need some clarification:
For example, I have a dovecot-acl file with:
group=portal_admin lrw anyone l
To me this means that any user in the portal_admin group should be able to open and read messages in the shared mailbox where this dovecot-acl file resides. All other users should be able to see the mailbox, but won't be able to open it.
What I'm finding is that in actuality NO ONE can open the mailbox. Users in the portal_admin group cannot open it.
Am I misreading how ACL is supposed to work? Or does the group= identifier simply not work? I guess I should mention that these groups are coming from active directory hooked up on the back-end with winbind, but I think this should be transparent to dovecot (i.e. dovecot shouldn't know the difference between groups originating from active directory versus local groups.... after all, it doesn't seem to differentiate between active directory users versus local users.... or am I wrong about this?)
Secondly, what is the group-override identifier supposed to do?
Thirdly, are spaces and other special characters allowed in the group/username identifiers?
Thanks, Matt.
This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.
On Wed, 2007-05-02 at 12:40 -0400, Matt Zukowski wrote:
The ACL documentation is at http://wiki.dovecot.org/ACL is a bit vague... I'd be happy to update it myself, but I need some clarification:
For example, I have a dovecot-acl file with:
group=portal_admin lrw anyone l
The page also contains "Groups aren't currently supported, but only because the groups can't be specified in userdb currently."
Secondly, what is the group-override identifier supposed to do?
Updated the page:
Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:
user=timo rw group-override=tempdisabled
Now if timo is in tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it.
Thirdly, are spaces and other special characters allowed in the group/username identifiers?
Spaces unfortunately aren't. I was thinking about this myself also a while ago. I'm not sure what would be the best way to change the current format to support spaces.
Other characters are allowed.
Perhaps adopting Courier-IMAP's ACL specification might make sense? Tab is the delimiter instead of space, so spaces are allowed in identifiers. Also, negative permissions are possible (i.e. +r to grant read access, -r to disable it). Also, I believe precedence is based on the order of the rules in the file, so you could have the group permissions override the user permissions by placing the group constraint further down. Anyway, there's also probably some benefit in using a common ACL format... interoperability is a good thing (unless you're Microsoft).
Regarding the group permissions not working, am I to understand that as of now they are implemented but don't actually do anything? i.e. how can I make use of the group constraints?
Timo Sirainen wrote:
On Wed, 2007-05-02 at 12:40 -0400, Matt Zukowski wrote:
The ACL documentation is at http://wiki.dovecot.org/ACL is a bit vague... I'd be happy to update it myself, but I need some clarification:
For example, I have a dovecot-acl file with:
group=portal_admin lrw anyone l
The page also contains "Groups aren't currently supported, but only because the groups can't be specified in userdb currently."
Secondly, what is the group-override identifier supposed to do?
Updated the page:
Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:
user=timo rw group-override=tempdisabled
Now if timo is in tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it.
Thirdly, are spaces and other special characters allowed in the group/username identifiers?
Spaces unfortunately aren't. I was thinking about this myself also a while ago. I'm not sure what would be the best way to change the current format to support spaces.
Other characters are allowed.
This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.
On Wed, 2007-05-09 at 11:15 -0400, Matt Zukowski wrote:
Perhaps adopting Courier-IMAP's ACL specification might make sense? Tab is the delimiter instead of space, so spaces are allowed in identifiers.
This can't be changed anymore without breaking backwards compatibility. There could of course be some new setting or maybe the file format could be changed in a way that it allows spaces in identifiers but is still backwards compatible, but I'm not sure what would be the best way to do it.
Also, negative permissions are possible (i.e. +r to grant read access, -r to disable it).
This should work with Dovecot too.
Also, I believe precedence is based on the order of the rules in the file, so you could have the group permissions override the user permissions by placing the group constraint further down.
I don't think this is a good idea. Especially after I add support for IMAP ACL extension. It doesn't support ordering rules. group-override=xx is for that.
Anyway, there's also probably some benefit in using a common ACL format... interoperability is a good thing (unless you're Microsoft).
I thought the dovecot-acl file was compatible with Courier, but I guess not if I missed the TAB separator thing. :)
Regarding the group permissions not working, am I to understand that as of now they are implemented but don't actually do anything? i.e. how can I make use of the group constraints?
The code looks like this (src/plugins/acl/acl-storage.c):
backend = acl_backend_init(acl_env, storage, user_env, NULL,
owner_username);The NULL in there is the list of groups the user is in. So if you wanted to use groups, you'd have to set it somehow. Perhaps this would work:
backend = acl_backend_init(acl_env, storage, user_env,
getenv("GROUPS") == NULL ? NULL : t_strsplit(getenv("GROUPS", ","),
owner_username);Then you'll need to return "groups=a,b,c,d" from userdb. I'm not yet sure how I want this to work in Dovecot v1.1.
If it's read-only, then your user can't write the 'subscriptions' file; as root, edit that file and manually insert the subscription, then your clients should pick it up.
Thanks for the quick reply.
Is it subscriptions or .subscriptions or in the singular (without the ending s)? Where should it be exactly? In the directory specified by the location option or by the CONTROL suboption? And what should it contain? Sorry to ask too much, but I am (very) new to dovecot.
Best regards, A.
"Egy anya oda se bagózik a megjelenésedre. Szerinte gyönyörű vagy és punktum." Meglepetéskönyvek anyák napjára. http://ad.adverticum.net/b/cl,1,6022,162660,225668/click.prm
Nagyon Almos wrote:
Is it subscriptions or .subscriptions or in the singular (without the ending s)? Where should it be exactly?
If you run dovecot 0.99, it's .subscriptions; if you run dovecot 1.0, it's subscriptions - so adjust as necessary. It is always located in the Maildir/ directory itself - take a look at your own personal maildir folder and it should be pretty obvious.
The contents should be the name of the subfolder itself. Again, looking at your personal folder and just copying the idea to the shared one should be all you need to do.
-te
-- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com
If you run dovecot 0.99, it's .subscriptions; if you run dovecot 1.0, it's subscriptions - so adjust as necessary. It is always located in the Maildir/ directory itself - take a look at your own personal maildir folder and it should be pretty obvious.
It goes without saying that if you are running 0.99 - UPGRADE.
--
Best regards,
Charles
If you run dovecot 0.99, it's .subscriptions; if you run dovecot 1.0, it's subscriptions - so adjust as necessary. It is always located in the Maildir/ directory itself - take a look at your own personal maildir folder and it should be pretty obvious.
The contents should be the name of the subfolder itself. Again, looking at your personal folder and just copying the idea to the shared one should be all you need to do.
Thank you for your help. The location of the subscriptions file is now clear.
The situation is getting better: mutt does not see the read-only maildir, even if I have two subscriptions file in Maildir/ and in CONTROL directory (empty directory). thunderbird now sees the folders in the read-only Maildir/ no matter what was specified in the subscriptions files (again, I have them under both Maildir/ and CONTROL). And I can subscribe/unsubscribe to them. But if I click on the name of the folder, thunderbird says: Mailbox does not exist. And there is absolutely nothing in dovecot's log.
If it matters, I use Edgy, hence dovecot 1.0rc2, mutt 1.5.13 and thunderbird 1.5.0.10.
Again, thank you for your help. By the way, do you have working read-only folders? If yes, would you please send me the details?
Best regards, A.
"Egy anya oda se bagózik a megjelenésedre. Szerinte gyönyörű vagy és punktum." Meglepetéskönyvek anyák napjára. http://ad.adverticum.net/b/cl,1,6022,162660,225668/click.prm
participants (5)
-
Charles Marcus
-
Matt Zukowski
-
Nagyon Almos
-
Timo Sirainen
-
Troy Engel