[Dovecot] virtual plugin and ACL
Hello list,
We are using virtual plugin for to provide users two additional folders: Company/all - it contains all messages in user's mailbox Company/favorites - here is flagged messages.
Here is namespace part of config file: namespace private { prefix = Company/ separator = / location = virtual:/var/mail/virtual:INDEX=MEMORY:LAYOUT=maildir++ subscriptions = no }
Everything works fine, but problem arises when someone rename or delete virtual mailbox. With above config, 1 user make changes to his mailbox, but changes distribute for entire domain.
First, I have tried to add :CONTROL=/data/mail/%d/%n/data/virtual to location part of virtual namespace, but I have no luck with such settings. Directory /data/mail/%d/%n/data/virtual not even been created.
Then I tried to setup ACL for virtual mailbox. Adding "acl" to mail_plugins in imap and lda section and acl=vfile to plugins config. Under /var/mail/virtual in each mailbox I create dovecot-acl file contaning: user=koshikov.n lrwstiekxa authenticated lrwstipe
But this didn't work.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Server ready. a login test qwe a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH QUOTA] Logged in a list "" *
- LIST (\HasNoChildren) "/" "Sent"
- LIST (\HasNoChildren) "/" "Drafts"
- LIST (\HasNoChildren) "/" "Spam"
- LIST (\HasNoChildren) "/" "Trash"
- LIST (\HasNoChildren) "/" "INBOX"
- LIST (\Noselect \HasChildren) "/" "Company"
- LIST (\HasNoChildren) "/" "Company/all"
- LIST (\HasNoChildren) "/" "Company/favorites" a OK List completed. a select Company/all
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft NonJunk)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft NonJunk \*)] Flags permitted.
- 13 EXISTS
- 0 RECENT
- OK [UIDVALIDITY 1249459221] UIDs valid
- OK [UIDNEXT 14] Predicted next UID
- OK [NOMODSEQ] No permanent modsequences a OK [READ-WRITE] Select completed. a getacl a BAD Error in IMAP command GETACL: Unknown command. a rename Company/all Company/test a OK Rename completed.
After "rename completed" in /var/mail/virtual new file dovecot-acl-list is appear with content: 1249457074 test
How can I get workaround for this situation ? I just need to restrict my users renaming and deleting virtualboxes.
On Wed, 2009-08-05 at 11:08 +0300, Nikita Koshikov wrote:
Here is namespace part of config file: namespace private { prefix = Company/ separator = / location = virtual:/var/mail/virtual:INDEX=MEMORY:LAYOUT=maildir++ subscriptions = no } .. Then I tried to setup ACL for virtual mailbox. Adding "acl" to mail_plugins in imap and lda section and acl=vfile to plugins config. Under /var/mail/virtual in each mailbox I create dovecot-acl file contaning: user=koshikov.n lrwstiekxa authenticated lrwstipe
But this didn't work.
That's because in private namespaces user owns the mails, and "authenticated" doesn't reduce the user's privileges. You could use "owner" instead.
Also I don't think you should use ACLs at all here. It's easier and more secure to just make /var/mail/virtual non-writable to imap process. For example change file/dir owners to root and make them world-readable.
On Fri, 07 Aug 2009 15:23:32 -0400 Timo Sirainen tss@iki.fi wrote:
That's because in private namespaces user owns the mails, and "authenticated" doesn't reduce the user's privileges. You could use "owner" instead.
Also I don't think you should use ACLs at all here. It's easier and more secure to just make /var/mail/virtual non-writable to imap process. For example change file/dir owners to root and make them world-readable.
Thank you, Timo.
Both variants are working fine for me.
participants (2)
-
Nikita Koshikov
-
Timo Sirainen