[Dovecot] Acl, Namespace, User Confusion
I'm using dovecot RC6.
I have a group named "cmpymail" with 2 users "jdoe@arinbe.com" and "jsmith@arinbe.com". I set up a mail folders like:
drwxrwx--- 4 cmpymail cmpymail 4096 2006-08-13 02:21 cmpymail drwxrwx--- 3 jdoe users 4096 2005-11-21 13:34 jdoe drwxrwx--- 3 jsmith users 4096 2006-08-13 02:27 jsmith drwxrwx--- 3 fred users 4096 2006-08-13 02:27 fred drwxrwx--- 3 wilma users 4096 2006-08-13 02:27 wilma
In dovecot.conf
namespace public { separator = . prefix = COMPANY. location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no }
I have a dovecot-shared file
-rw-rw---- 1 cmpymail cmpymail 0 2006-08-13 13:24 dovecot-shared
What I can not do is restrict access to cmpymail to -just- jdoe and jsmith.
I've looked at
http://www.dovecot.org/list/dovecot/2006-June/013683.html
I've tried adding
mail_plugin_dir = /usr/local/lib/dovecot/imap mail_plugins = acl
and a dovecot-acl file
owner user=jdoe@arinbe.com lrwstiekxa user=jsmith@arinbe.com lrwstiekxa user=jdoe rwstiekxa user=jsmith lrwstiekxa
I am not exactly sure what username to use. All users are in LDAP.
The "cmpymail" group shows
# getent group cmpymail:*:5555:jdoe,jsmith
Nothing I do seems to work. I either get errors that wilma and fred can't access cmpymail, for instance when wilma/fred try to subscribe to folders, or wilma and fred have complete access to cmpymail (if I change cmpymail's group to users instead of cmpymail).
Is there a way to restrict access like I want?
Thanks,
Jim
On Tue, 2006-08-15 at 00:12 -0400, Jim Horner wrote:
and a dovecot-acl file
owner user=jdoe@arinbe.com lrwstiekxa user=jsmith@arinbe.com lrwstiekxa user=jdoe rwstiekxa user=jsmith lrwstiekxa
I am not exactly sure what username to use. All users are in LDAP.
Most likely jdoe@arinbe.com, assuming the username doesn't get changed somewhere.
The "cmpymail" group shows
# getent group cmpymail:*:5555:jdoe,jsmith
This is the problem. Since your users come from LDAP, Dovecot never even reads the /etc/group. There are a couple of ways to handle this:
Make LDAP return jdoe's and jsmith's default GID as cmpymail instead of whatever they now return (users?).
Make LDAP return system_user. That makes Dovecot get the groups for that user. So something like:
pass_attrs = uid=user,uid=system_user,userPassword=password
Although if your uid is in user@domain format, then you'll need to use the user@domain format in /etc/group also. Or alternatively use some other field from LDAP which has only the user.
Some day in future I might get rid of the system_user though and instead make it possible to return multiple GIDs from LDAP (and SQL and others).
Thanks for the reply.
- Make LDAP return system_user. That makes Dovecot get the groups for that user. So something like:
pass_attrs = uid=user,uid=system_user,userPassword=password
Sorry I didn't mention this. I am doing exactly as you state (I think).
user_attrs = mail=user,mailbox=home,uid=system_user,uidNumber=uid,gidNumber=gid
pass_attrs = mail=user,userPassword=password,uid=userdb_user,uid=userdb_system_u ser,mailbox=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
The problem is not so much that jdoe and jsmith can not see the company mail folder as it is so can everyone else. I would like it so only jdoe and jsmith see the "COMPANY" namespace. However if I lock down the folder using unix permissions:
drwxrwx--- 4 cmpymail cmpymail 4096 2006-08-13 02:21 cmpymail drwxrwx--- 3 jdoe users 4096 2005-11-21 13:34 jdoe drwxrwx--- 3 jsmith users 4096 2006-08-13 02:27 jsmith drwxrwx--- 3 fred users 4096 2006-08-13 02:27 fred drwxrwx--- 3 wilma users 4096 2006-08-13 02:27 wilma
then fred, wilma get "IMAP(wilma@arinbe.com): opendir(/home/services/mail/arinbe.com/cmpymail/Maildir) failed: Permission denied" error messages.
I'm fine with the error. It makes sense. I just don't know how to configure dovecot so the user (fred, wilma) don't see the error.
As I understand it
dovecot-shared file is for deliver (dovecot lda) so it knows what permissions to give mail files.
dovecot-acl provides, I am not sure? Can it override unix permissions? Doesn't appear so. If the user logged in doesn't have unix permission to access the folder then how can dovecot-acl be accessed? It also appears that if I set the unix permissions on the folder to cmpymail.users then dovecot-acl doesn't do anything to stop fred and wilma from accessing the folder since they have unix permission access to that folder (they (everyone) are in the users group).
Should I make everyone a static uid like
userdb static { args = uid=1500 gid=1500 home=/home/services/mail/%d/%n }
remove unix permissions, chown vuser.vuser for all mail folders and put a dovecot-acl in the folders/namespace I want to protect? Does it have to be that way? I kind of like seeing the login process and who it belongs to... though this is "black" box and no one can log into it.
I guess my example is pretty lame compared to what ACLs are suppose to be able to do in IMAP but I imagine something similar to what samba does for shares like a "users" parameter.
namespace public { separator = . prefix = COMPANY. users = someuser @somegroup location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no }
Thanks,
Jim
namespace public { separator = . prefix = COMPANY. users = someuser @somegroup location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-se ttings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no }
Just to close this out (can be read as "hopefully help someone else" or "I like to hear myself talk")...
After spending a few days beating my head against a wall, I finally got this to work...
I had to read and re-read http://www.dovecot.org/list/dovecot/2006-June/013683.html. A dovecot-acl file is not read from the namespace. So for namespace folders I had to use the global vfile:/etc/dovecot-acl folder to create permissions. A dovecot-acl file in one of the shared folders trumps the permissions from global vfile:. The peculiar feature piece is that because namespace folders are not read it doesn't matter for the virtual user. In other words if I have a user named company and share its folders, only the company user will read the dovecot-acl in its folders. Other users accessing that folder as a shared resource will read the global vfile: acl files. This feature worked out great for me.
Using the acl plug-in will "turn off" public namespaces until acl files are put into place. This was hard to understand at first.
Separating things or locking folders down with unix group permissions is pretty much futile. I had to put all my users in all my hosted domains in the same group and open the shared folders permissions to 770 (or 660).
All in all, I am happy with the result.
Thanks,
Jim
participants (2)
-
Jim Horner
-
Timo Sirainen