[Dovecot] Problem with ACL and rename folder
Hi,
I'm using RoundCube and I asked RC team to add ACL support, but there is a problem with renaming ACL protected folders. Users don't have permissions to deleting/renaming some folders. It works well, but every imap talk when renaming folders ends with:
OK Rename completed.
but the name of folder isn't changed. Here is a log from RC when I tried to rename ACL protected folder:
[20-May-2010 10:48:46 +0200]: S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
[20-May-2010 10:48:46 +0200]: C: cp01 CAPABILITY
[20-May-2010 10:48:46 +0200]: S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEN
D UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=t
exk QUOTA AUTH=PLAIN AUTH=LOGIN
[20-May-2010 10:48:46 +0200]: S: cp01 OK Capability completed.
[20-May-2010 10:48:46 +0200]: C: a001 LOGIN "*******" "*******"
[20-May-2010 10:48:46 +0200]: S: a001 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MUL
TIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL R
IGHTS=texk QUOTA] Logged in
[20-May-2010 10:48:46 +0200]: C: lsb LSUB "" "*"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Trash"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Junk"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Sent"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Drafts"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Public/AddressBook"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Public/PublicMails"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Public/"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "viruses"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "root"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Info"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Archives"
[20-May-2010 10:48:46 +0200]: S: * LSUB () "/" "Kalendarz"
[20-May-2010 10:48:46 +0200]: S: lsb OK Lsub completed.
[20-May-2010 10:48:46 +0200]: C: usub1 UNSUBSCRIBE "Kalendarz"
[20-May-2010 10:48:46 +0200]: S: usub1 OK Unsubscribe completed.
[20-May-2010 10:48:46 +0200]: C: r RENAME "Kalendarz" "Kalendarz23"
[20-May-2010 10:48:46 +0200]: S: r OK Rename completed.
[20-May-2010 10:48:46 +0200]: C: sub1 SUBSCRIBE "Kalendarz23"
[20-May-2010 10:48:46 +0200]: S: sub1 NO Mailbox doesn't exist: Kalendarz23
[20-May-2010 10:48:46 +0200]: C: lmb LIST "" "*"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Trash"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Junk"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Info"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Sent"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Drafts"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "viruses"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Archives"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "root"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Kalendarz"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "INBOX"
[20-May-2010 10:48:46 +0200]: S: * LIST (\Noselect \HasChildren) "/" "Public"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Public/AddressBook"
[20-May-2010 10:48:46 +0200]: S: * LIST (\HasNoChildren) "/" "Public/PublicMails"
[20-May-2010 10:48:46 +0200]: S: lmb OK List completed.
[20-May-2010 10:48:46 +0200]: C: I LOGOUT
Here you have my dovecot config:
# 1.2.11: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.2-RELEASE i386
info_log_path: /var/log/dovecot-info.log
protocols: acl imap pop3 managesieve
ssl: no
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_executable(managesieve):
/usr/local/libexec/dovecot/managesieve-login
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_drop_priv_before_exec: yes
mail_executable(default): /usr/local/etc/dovecot/unix_groups.sh
mail_executable(imap): /usr/local/etc/dovecot/unix_groups.sh
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_executable(managesieve): /usr/local/libexec/dovecot/managesieve
mail_plugins(default): acl imap_acl quota imap_quota autocreate fts
fts_squat
mail_plugins(imap): acl imap_acl quota imap_quota autocreate fts
fts_squat
mail_plugins(pop3):
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
mail_plugin_dir(managesieve): /usr/local/lib/dovecot/managesieve
imap_client_workarounds(default): delay-newmail outlook-idle
netscape-eoh tb-extra-mailbox-sep
imap_client_workarounds(imap): delay-newmail outlook-idle
netscape-eoh tb-extra-mailbox-sep
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
namespace:
type: private
separator: /
inbox: yes
list: yes
subscriptions: yes
namespace:
type: public
separator: /
prefix: Public/
location:
maildir:/home/public/Maildir:CONTROL=~/Maildir/control/public:INDEX=~/Maildir/index/public
list: yes
lda:
postmaster_address: postmaster@test.parsifal.com.pl
plugins: quota
mail_plugins: acl sieve quota
mail_plugin_dir: /usr/local/lib/dovecot/lda
deliver_log_format: msgid=%m: %$
sendmail_path: /usr/sbin/sendmail
auth default:
mechanisms: plain login
username_format: %Lu
passdb:
driver: pam
args: session=yes imap
userdb:
driver: passwd
args: blocking=yes
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
plugin:
sieve: ~/.dovecot.sieve
sieve_dir: ~/sieve
sieve_global_path: /var/dovecot/sieve/default.sieve
sieve_global_dir: /var/dovecot/sieve
sieve_before: /var/dovecot/sieve/default.sieve
quota: maildir:User quota
quota_rule: *:storage=5G
quota_rule2: Trash:storage=20%%
quota_rule3: SPAM:storage=20%%
quota_warning: storage=80%% /usr/local/bin/quota-warning.sh 80
quota_warning2: storage=90%% /usr/local/bin/quota-warning.sh 90
quota_warning3: storage=95%% /usr/local/bin/quota-warning.sh 95
autocreate: Trash
autocreate2: Junk
autocreate3: Info
autocreate4: Sent
autocreate5: Drafts
autocreate6: Archives
autocreate7: Kalendarz
autosubscribe: Trash
autosubscribe2: Junk
autosubscribe3: Info
autosubscribe4: Sent
autosubscribe5: Drafts
autosubscribe6: Public.AddressBook
autosubscribe7: Public.PublicMails
autosubscribe8: Archives
autosubscribe9: Kalendarz
acl: vfile:/usr/local/etc/dovecot/acls
fts: squat
fts_squat: partial=4 full=10Here is a global ACL file for mailbox "Kalendarz"
cat /usr/local/etc/dovecot/acls/Kalendarz
owner lrwstipeaMy dovecot version:
pkg_info | grep dovecot
dovecot-1.2.11
dovecot-managesieve-0.11.11_1
dovecot-sieve-1.2+0.1.15Please help with this problem
Regards DZIOBAK
W dniu 2010-05-23 11:51, Thomas Leuxner pisze:
Am 23.05.2010 um 10:48 schrieb DZIOBAK:
Here is a global ACL file for mailbox "Kalendarz"
cat /usr/local/etc/dovecot/acls/Kalendarz owner lrwstipea
Try adding 'kx' to that ACL. AFAIK they are used for rename as well.
Regards Thomas
Maybe I write this wrong or you don't understand me. I don't want users to rename or delete some folders so I didn't set 'kx' to ACL files. When I try to rename a ACL protected folder the answer from IMAP server is:
OK Rename completed.
But it should be like it is when trying to delete folder:
NO [NOPERM] Permission denied
And the rename isn't completed. The folder has the name before renaming, which is what I want. The RC team is unable to make ACL support because of the answer of the imap server - "OK Rename completed."
Am 23.05.2010 um 12:23 schrieb DZIOBAK:
But it should be like it is when trying to delete folder:
NO [NOPERM] Permission denied And the rename isn't completed. The folder has the name before renaming, which is what I want. The RC team is unable to make ACL support because of the answer of the imap server - "OK Rename completed."
Right, so having no permission to do it is actually intended but you are puzzled while it still seems to allow renaming a mailbox, but fails eventually?
My assumption is this maybe due to the fact that several IMAP ACL flags would be required for a rename operation and it starts to do it and then fails in the middle. You could set the ACL to something very basic like 'lrws' to see if this rejects rename operations right a way. This way you could drill down on the flag that may cause the problem.
Regards Thomas
W dniu 2010-05-23 12:40, Thomas Leuxner pisze:
Am 23.05.2010 um 12:23 schrieb DZIOBAK:
But it should be like it is when trying to delete folder:
NO [NOPERM] Permission denied
And the rename isn't completed. The folder has the name before renaming, which is what I want. The RC team is unable to make ACL support because of the answer of the imap server - "OK Rename completed."
Right, so having no permission to do it is actually intended but you are puzzled while it still seems to allow renaming a mailbox, but fails eventually?
My assumption is this maybe due to the fact that several IMAP ACL flags would be required for a rename operation and it starts to do it and then fails in the middle. You could set the ACL to something very basic like 'lrws' to see if this rejects rename operations right a way. This way you could drill down on the flag that may cause the problem.
Regards Thomas
OK, I've set the flags as you suggested to 'lrws' and try to rename folder. the behave is the same: the answer from IMAP server is "OK Rename completed.". The same answer is when using global ACL and user ACL.
Odkryj tajemnice TAROTA! Sprawdz >> http://linkint.pl/f2695
On Sun, 2010-05-23 at 10:48 +0200, DZIOBAK wrote:
I'm using RoundCube and I asked RC team to add ACL support, but there is a problem with renaming ACL protected folders. Users don't have permissions to deleting/renaming some folders. It works well, but every imap talk when renaming folders ends with:
OK Rename completed.
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/6f25b20b8367
(It was already fixed in v2.0.)
Timo,
-----Original Message----- From: Timo Sirainen
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/6f25b20b8367
(It was already fixed in v2.0.)
I know you were hoping to make 1.2.11 the last in that branch, but it seems like we've seen a few patches since then. Are we due for 1.2.12 sometime soon?
-Brad
W dniu 2010-05-25 17:15, Timo Sirainen pisze:
On Tue, 2010-05-25 at 08:07 -0700, Brad Davidson wrote:
I know you were hoping to make 1.2.11 the last in that branch, but it seems like we've seen a few patches since then. Are we due for 1.2.12 sometime soon?
I guess 1.2.12 will be released. Probably same time as 2.0.rc1.
Could you tell me when it would be released (week, two weeks, month)?
Kredyty hipoteczne z dopłatą. Sprawdź koniecznie! http://linkint.pl/f26ca
On Tue, 2010-05-25 at 17:45 +0200, DZIOBAK wrote:
I guess 1.2.12 will be released. Probably same time as 2.0.rc1.
Could you tell me when it would be released (week, two weeks, month)?
"ASAP". What that means, I don't know. I'll still have about 200 mails to read from this list, but besides that my TODO list isn't very big.
On 5/25/2010 11:07 AM, Brad Davidson wrote:
Timo,
-----Original Message----- From: Timo Sirainen
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/6f25b20b8367
(It was already fixed in v2.0.)
I know you were hoping to make 1.2.11 the last in that branch, but it seems like we've seen a few patches since then. Are we due for 1.2.12 sometime soon?
-Brad
I can't wait for a production release of dovecot 2.0. I know theres a beta but until its production, it will not be employed on our systems at Shelton Computers, though. *Sign this mailing list article to let Dovecot know your interest!*
Jerrale Gayle Shelton Computers Senior Communications Admin
participants (5)
-
Brad Davidson
-
DZIOBAK
-
John
-
Thomas Leuxner
-
Timo Sirainen