Confused about dovecot ACL
Hello everyone
sorry i'm not very experienced and also my english
I installed a centos 7 server with ispconfig postfix dovecot 2.2.36 and roundcube, this server is only a mail archive, so my need is that ALL the mailboxes are read-only on roundcube/imap and any user must NOT delete the messages. ... so I configured dovecot's ALC following the guide "https://wiki2.dovecot.org/ACL" I think I did everything correctly and I don't get errors but entering the webmail roundcube I CAN DELETE MESSAGES ..... it seems that the acl have no effect ....
added to the dovecot configuration file /etc/dovecot/dovecot.conf
.... plugin { acl = vfile: / etc / dovecot / dovecot-acl } ..... protocol imap { mail_plugins = $ mail_plugins imap_acl } mail_plugins = acl .....
created the "global" file /etc/dovecot/dovecot-acl and inserted that the test user has only lookup and reading rights (lr):
- user=test@test.com lr
my dovecot.conf
listen = *,[::] protocols = imap pop3 auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_protocols = !SSLv3 passdb { args = /etc/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot-sql.conf driver = sql } plugin { acl = vfile:/etc/dovecot/dovecot-acl quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve=/var/vmail/%d/%n/.sieve } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service imap-login { client_limit = 1000 process_limit = 500 } protocol imap { mail_plugins = $mail_plugins imap_acl mail_plugins = quota imap_quota } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } protocol lda { mail_plugins = sieve quota postmaster_address = root@localhost } protocol lmtp { postmaster_address = admin@htmlservices.it mail_plugins = quota sieve } mail_plugins = $mail_plugins quota mail_plugins = acl
my dovecot-acl
- user=test@test.com lr
"debug"
[root@archivio ~]# doveadm -Dv acl debug -u test@test.com INBOX Debug: Loading modules from directory: /usr/lib64/dovecot Debug: Module loaded: /usr/lib64/dovecot/lib01_acl_plugin.so Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm Debug: Module loaded: /usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message) Debug: Module loaded: /usr/lib64/dovecot/doveadm/lib10_doveadm_sieve_plugin.so Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so: undefined symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so just ignore this message) doveadm(test@test.com): Debug: Added userdb setting: mail=maildir:/var/vmail/test.com/test/Maildir doveadm(test@test.com): Debug: Added userdb setting: plugin/quota_rule=*:storage=0B doveadm(test@test.com): Debug: Added userdb setting: plugin/sieve=/var/vmail/test.com/test/.sieve doveadm(test@test.com): Debug: Effective uid=5000, gid=5000, home=/var/vmail/test.com/test doveadm(test@test.com): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(test@test.com): Debug: maildir++: root=/var/vmail/test.com/test/Maildir, index=, indexpvt=, control=, inbox=/var/vmail/test.com/test/Maildir, alt= doveadm(test@test.com): Debug: acl: initializing backend with data: vfile:/etc/dovecot/dovecot-acl doveadm(test@test.com): Debug: acl: acl username = test@test.com doveadm(test@test.com): Debug: acl: owner = 1 doveadm(test@test.com): Debug: acl vfile: Global ACL file: /etc/dovecot/dovecot-acl doveadm(test@test.com): Info: Mailbox 'INBOX' is in namespace '' doveadm(test@test.com): Info: Mailbox path: /var/vmail/test.com/test/Maildir doveadm(test@test.com): Info: All message flags are shared across users in mailbox doveadm(test@test.com): Debug: Mailbox 'INBOX' matches global ACL pattern '*' doveadm(test@test.com): Debug: Mailbox 'INBOX' matches global ACL pattern '*' doveadm(test@test.com): Debug: Mailbox 'INBOX' matches global ACL pattern '*' doveadm(test@test.com): Debug: acl vfile: file /var/vmail/test.com/test/Maildir/dovecot-acl not found doveadm(test@test.com): Info: User test@test.com has rights: lookup read doveadm(test@test.com): Info: Mailbox in user's private namespace doveadm(test@test.com): Info: Mailbox INBOX is visible in LIST [root@archivio ~]#
if I see the line "Info: User test@test.com has rights: lookup read" it seems that the ACL (lookup and read) are correctly applied, but as I was saying above, entering the user test@test.com on the webmail, I can do everything I want to also delete the e-mails ..... these are days I try to understand but I don't understand what I'm wrong and how to solve .... thank you all in advance
On 11.7.2019 20.43, HTMLServices.it via dovecot wrote:
Hello everyone
sorry i'm not very experienced and also my english
I installed a centos 7 server with ispconfig postfix dovecot 2.2.36 and roundcube, this server is only a mail archive, so my need is that ALL the mailboxes are read-only on roundcube/imap and any user must NOT delete the messages. ... so I configured dovecot's ALC following the guide "https://wiki2.dovecot.org/ACL" I think I did everything correctly and I don't get errors but entering the webmail roundcube I CAN DELETE MESSAGES ..... it seems that the acl have no effect ....
snip
if I see the line "Info: User test@test.com has rights: lookup read" it seems that the ACL (lookup and read) are correctly applied, but as I was saying above, entering the user test@test.com on the webmail, I can do everything I want to also delete the e-mails ..... these are days I try to understand but I don't understand what I'm wrong and how to solve .... thank you all in advance
This is because the rules are applies as "owner", and not as "test@test.com". If you want to prevent test@test.com from deleting their mail, you need to create /var/vmail/test.com/test/Maildir/dovecot-acl with
- owner lr
Aki
participants (2)
-
Aki Tuomi
-
HTMLServices.it