Issue with ACLs in Dovecot 2.4
Hi,
I'm trying to migrate my setup to Dovecot 2.4, but I'm experiencing an unusual issue with ACLs. After multiple tests, I’ve stripped the configuration down to the bare minimum to pinpoint the root cause of the problem.
Basically, if I set "owner lr" as the permissions for a folder, I am unable to move any messages, yet I can still create subfolders. Here’s the relevant configuration:
ini Copia Modifica protocol imap { mail_plugins { acl = yes } }
acl_driver = vfile acl_globals_only = yes
namespace inbox { inbox = yes separator = / mailbox Test { acl owner { rights = lr } } }
Am I missing any configuration, or have I encountered a bug?
Thanks, Andrea
-- TIM San Marino S.p.A. Andrea Gabellini Engineering R&D TIM San Marino S.p.A. - https://www.telecomitalia.sm Via Ventotto Luglio, 212 - Piano -2 47893 - Borgo Maggiore - Republic of San Marino Tel: (+378) 0549 886237 Fax: (+378) 0549 886188
-- Informativa Privacy
Questa email ha per destinatari dei contatti presenti negli archivi di TIM San Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679). Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati presenti nei nostri archivi potete inviare una email a privacy@telecomitalia.sm.
Avviso di Riservatezza
Il contenuto di questa e-mail e degli eventuali allegati e' strettamente confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail potra' essere perseguito ai sensi di legge.
On 27/02/2025 11:26 EET Andrea Gabellini via dovecot <dovecot@dovecot.org> wrote:
Hi,
I'm trying to migrate my setup to Dovecot 2.4, but I'm experiencing an unusual issue with ACLs. After multiple tests, I’ve stripped the configuration down to the bare minimum to pinpoint the root cause of the problem.
Basically, if I set "owner lr" as the permissions for a folder, I am unable to move any messages, yet I can still create subfolders. Here’s the relevant configuration:
ini Copia Modifica protocol imap { mail_plugins { acl = yes } }
acl_driver = vfile acl_globals_only = yes
namespace inbox { inbox = yes separator = / mailbox Test { acl owner { rights = lr } } }
Am I missing any configuration, or have I encountered a bug?
Thanks, Andrea
The permissions only apply to that folder, try adding
mailbox Test/* { acl owner { rights = lr } }
Aki
Hi,
Thanks for your quick reply. I’ve added the suggested configuration, but the issue persists.
The situation is even stranger than expected. I tested with both Thunderbird and my on-prem Roundcube webmail, and I observed different behaviors:
Thunderbird: Works as expected, subfolders are not created. Webmail (Roundcube): Subfolders are created, and I see the following error in the logs:
Thunderbird: Debug: Added userdb setting: master_user=proxy_master Debug: Effective uid=5000, gid=5000, home=/var/mail/vhosts/username Debug: acl: Shared mailbox listing disabled: dict { .. } named list filter is missing Debug: open(/proc/self/io) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /proc/self/io) Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes Debug: maildir++: root=/var/mail/vhosts/username/Maildir, index=, indexpvt=, control=, inbox=/var/mail/vhosts/username/Maildir, alt= Debug: acl: initializing backend vfile Debug: acl: acl username = username Debug: acl: owner = yes Debug: acl: ignore = no Debug: auth-master: login: conn unix:/run/auth-master (pid=1844998,uid=0): Disconnected: Connection closed (fd=12) Debug: Command finished: namespace: OK Namespace completed. Debug: Command finished: COMPRESS DEFLATE Debug: ID sent: name=Thunderbird, version=115.18.0 Debug: Command finished: ID ("name" "Thunderbird" "version" "115.18.0"): OK ID completed. Debug: acl: '' is not a valid mailbox name: Name is empty Debug: Mailbox Test: Using configured acl 'owner' Debug: Mailbox Test/001b: Using configured acl 'owner' Debug: Mailbox Test/001: Using configured acl 'owner' Debug: Command finished: list (subscribed) "" "*": OK List completed. Debug: Command finished: list "" "INBOX": OK List completed. Debug: Mailbox Test: Mailbox opened Debug: Command finished: select "Test": OK [READ-ONLY] Select completed Debug: Namespace inbox: Using permissions from /var/mail/vhosts/username/Maildir: mode=0700 gid=default Debug: Mailbox Test: Mailbox opened Debug: Command finished: create "Test/00TB": NO [NOPERM] Permission denied Debug: Command finished: list "" "Test": OK List completed.
Roundcube: Debug: Added userdb setting: master_user=proxy_master Debug: Effective uid=5000, gid=5000, home=/var/mail/vhosts/username Debug: acl: Shared mailbox listing disabled: dict { .. } named list filter is missing Debug: open(/proc/self/io) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /proc/self/io) Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes Debug: maildir++: root=/var/mail/vhosts/username/Maildir, index=, indexpvt=, control=, inbox=/var/mail/vhosts/username/Maildir, alt= Debug: acl: initializing backend vfile Debug: acl: acl username = username Debug: acl: owner = yes Debug: acl: ignore = no Debug: auth-master: login: conn unix:/run/auth-master (pid=1844998,uid=0): Disconnected: Connection closed (fd=12) Debug: Namespace inbox: Using permissions from /var/mail/vhosts/username/Maildir: mode=0700 gid=default Debug: Mailbox Test: Mailbox opened Debug: acl: '' is not a valid mailbox name: Name is empty Debug: Namespace inbox: /var/mail/vhosts/username/Maildir/.Test.00RC doesn't exist yet, using default permissions Mailbox Test/00RC: Mailbox created Debug: Mailbox Test: Mailbox opened Debug: Mailbox Test: Using configured acl 'owner' Error: acl: Can't update acl object 'Test.00RC': No local acl file path Debug: Mailbox INBOX: Couldn't open mailbox in list index: Refresh-flag set Debug: Mailbox Test/00RC: Mailbox opened Debug: Mailbox Test/00RC: Using configured acl 'owner' Debug: Mailbox INBOX: Mailbox opened Debug: Mailbox Test/00RC: Mailbox opened Debug: Mailbox Test/00RC: Purging (new file_seq=1740650805): copy cache decisions Debug: Mailbox Test/00RC: Purging finished, file_seq changed 0 -> 1740650805, size=0 -> 968, max_uid=0 Debug: Command finished: CREATE Test/00RC: OK Create completed. Debug: Command finished: SUBSCRIBE Test/00RC: OK Subscribe completed. Debug: Command finished: LIST "" Test/00RC: OK List completed. Debug: Command finished: LOGOUT: OK Logout completed.
Thanks, Andrea
Il 27/02/25 10:34, Aki Tuomi via dovecot ha scritto:
On 27/02/2025 11:26 EET Andrea Gabellini via dovecot<dovecot@dovecot.org> wrote:
Hi,
I'm trying to migrate my setup to Dovecot 2.4, but I'm experiencing an unusual issue with ACLs. After multiple tests, I’ve stripped the configuration down to the bare minimum to pinpoint the root cause of the problem.
Basically, if I set "owner lr" as the permissions for a folder, I am unable to move any messages, yet I can still create subfolders. Here’s the relevant configuration:
ini Copia Modifica protocol imap { mail_plugins { acl = yes } }
acl_driver = vfile acl_globals_only = yes
namespace inbox { inbox = yes separator = / mailbox Test { acl owner { rights = lr } } }
Am I missing any configuration, or have I encountered a bug?
Thanks, Andrea
The permissions only apply to that folder, try adding
mailbox Test/* { acl owner { rights = lr } }
Aki
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
-- TIM San Marino S.p.A. Andrea Gabellini Engineering R&D TIM San Marino S.p.A. -https://www.telecomitalia.sm Via Ventotto Luglio, 212 - Piano -2 47893 - Borgo Maggiore - Republic of San Marino Tel: (+378) 0549 886237 Fax: (+378) 0549 886188
-- Informativa Privacy
Questa email ha per destinatari dei contatti presenti negli archivi di TIM San Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679). Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati presenti nei nostri archivi potete inviare una email a privacy@telecomitalia.sm.
Avviso di Riservatezza
Il contenuto di questa e-mail e degli eventuali allegati e' strettamente confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail potra' essere perseguito ai sensi di legge.
participants (2)
-
Aki Tuomi
-
Andrea Gabellini