[Dovecot] Public Mailbox & ACLs
Hi,
I'm having a problem I can't get my head around. I'm trying to setup a public mailbox that is hidden from all users unless granted access through an ACL.
My folder structure is (migrated from a Courier IMAP/Qmail server):
/var/spool/maildir - main public folder (contains a few .qmail files to redirect mail to the correct subfolder) /var/spool/maildir/Support - support public folder (a public folder rather than a maildir) /var/spool/maildir/Support/.SubFolder1 - support sub folder 1 (a maildir) /var/spool/maildir/Support/.SubFolder2 - support sub folder 2 (another maildir) /var/spool/maildir/System /var/spool/maildir/System/.SubFolder1 /var/spool/maildir/System/.SubFolder2
I couldn't get the namespace working correctly to just have 1 folder called "Shared" (you just got an empty folder when trying to subscribe). I ended up making 2 namespaces below:
namespace { type = public separator = . prefix = Shared.Support. location = maildir:/var/spool/maildir/Support:INDEX=~/Maildir/Support subscriptions = no }
namespace { type = public separator = . prefix = Shared.System. location = maildir:/var/spool/maildir/System:INDEX=~/Maildir/System subscriptions = no }
This allowed me to get the result I was looking for. Using an ACL I get a Shared->Support/System->Subfolders view. However the problem is when a user is not in the ACL they can still see the Shared->Support/System folders (just none of the subfolders) and obviously can't subscribe.
Could someone let me know what I am doing wrong and if there is a better way of doing this?
Many thanks,
Tom
Hi,
I've tried doing the following still with no luck.
namespace { type = public separator = . prefix = Shared. location = maildir:/var/spool/maildir:INDEX=~/Maildir/Shared subscriptions = no }
This allows everyone still to see Shared on subscriptions. Does anyone know how to stop this??
Tom
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Tom Clark Sent: 04 July 2011 3:19 PM To: dovecot@dovecot.org Subject: [Dovecot] Public Mailbox & ACLs
Hi,
I'm having a problem I can't get my head around. I'm trying to setup a public mailbox that is hidden from all users unless granted access through an ACL.
My folder structure is (migrated from a Courier IMAP/Qmail server):
/var/spool/maildir - main public folder (contains a few .qmail files to redirect mail to the correct subfolder) /var/spool/maildir/Support - support public folder (a public folder rather than a maildir) /var/spool/maildir/Support/.SubFolder1 - support sub folder 1 (a maildir) /var/spool/maildir/Support/.SubFolder2 - support sub folder 2 (another maildir) /var/spool/maildir/System /var/spool/maildir/System/.SubFolder1 /var/spool/maildir/System/.SubFolder2
I couldn't get the namespace working correctly to just have 1 folder called "Shared" (you just got an empty folder when trying to subscribe). I ended up making 2 namespaces below:
namespace { type = public separator = . prefix = Shared.Support. location = maildir:/var/spool/maildir/Support:INDEX=~/Maildir/Support subscriptions = no }
namespace { type = public separator = . prefix = Shared.System. location = maildir:/var/spool/maildir/System:INDEX=~/Maildir/System subscriptions = no }
This allowed me to get the result I was looking for. Using an ACL I get a Shared->Support/System->Subfolders view. However the problem is when a user is not in the ACL they can still see the Shared->Support/System folders (just none of the subfolders) and obviously can't subscribe.
Could someone let me know what I am doing wrong and if there is a better way of doing this?
Many thanks,
Tom
Hi Tom, sorry that I can't help you, but i have the same issue ( see thread "[Dovecot] Problems with acl and shared namespace" ). With a slightly different config (separator / and so on) but the same result - the public mailboxes are full accessible also from unauthorized accounts.
I have also no answer to my questions - so i hope one of us get an answer.
BTW. which dovecot version do you use? I use 2.0.13 - perhaps i should try 1.x? But i want to use new software on the new mailserver...
Udo
Am 06.07.2011 10:12, schrieb Tom Clark:
Hi,
I've tried doing the following still with no luck.
namespace { type = public separator = . prefix = Shared. location = maildir:/var/spool/maildir:INDEX=~/Maildir/Shared subscriptions = no }
This allows everyone still to see Shared on subscriptions. Does anyone know how to stop this??
Tom ...
Hi Udo,
I'm using 2.0.8. I've managed to get the ACLs working by adding:
mail_plugins = acl protocol imap { mail_plugins = $mail_plugins imap_acl }
To the bottom of 10-mail.conf in /etc/dovecot/conf.d/ (not sure if this is technically the right place. It may be better adding them to the plugins file).
Then added the dovecot-acl files into the subdirectories.
The only problem I'm having is that I can't get dovecot to NOT display the top level shared folders.
Tom
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Udo Lembke Sent: 06 July 2011 10:39 AM To: dovecot@dovecot.org Subject: Re: [Dovecot] Public Mailbox & ACLs
Hi Tom, sorry that I can't help you, but i have the same issue ( see thread "[Dovecot] Problems with acl and shared namespace" ). With a slightly different config (separator / and so on) but the same result - the public mailboxes are full accessible also from unauthorized accounts.
I have also no answer to my questions - so i hope one of us get an answer.
BTW. which dovecot version do you use? I use 2.0.13 - perhaps i should try 1.x? But i want to use new software on the new mailserver...
Udo
Am 06.07.2011 10:12, schrieb Tom Clark:
Hi,
I've tried doing the following still with no luck.
namespace { type = public separator = . prefix = Shared. location = maildir:/var/spool/maildir:INDEX=~/Maildir/Shared subscriptions = no }
This allows everyone still to see Shared on subscriptions. Does anyone know how to stop this??
Tom ...
Hi Tom, are the ACLs working for you as namespace-type shared, or public? The non-reconiced ACLs are on type public at my installation (all user can access all folders).
I had already in 20-imap.conf: protocol imap { mail_plugins = $mail_plugins acl imap_acl ...
and in 10-mail.conf: mail_plugins = acl autocreate quota
OK, acl are doubled, but i hope that's no problem.
Udo
Am 06.07.2011 13:49, schrieb Tom Clark:
Hi Udo,
I'm using 2.0.8. I've managed to get the ACLs working by adding:
mail_plugins = acl protocol imap { mail_plugins = $mail_plugins imap_acl }
To the bottom of 10-mail.conf in /etc/dovecot/conf.d/ (not sure if this is technically the right place. It may be better adding them to the plugins file).
Then added the dovecot-acl files into the subdirectories.
The only problem I'm having is that I can't get dovecot to NOT display the top level shared folders.
Tom
Hi Udo,
My folders are public mailboxes rather than shared. Why don't you copy your namespace and dovecot-acl files here and we'll have a look at them?
Tom
-----Original Message----- From: Udo Lembke [mailto:udo.lembke@albertbauer.com] Sent: 06 July 2011 1:36 PM To: Tom Clark Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Public Mailbox & ACLs
Hi Tom, are the ACLs working for you as namespace-type shared, or public? The non-reconiced ACLs are on type public at my installation (all user can access all folders).
I had already in 20-imap.conf: protocol imap { mail_plugins = $mail_plugins acl imap_acl ...
and in 10-mail.conf: mail_plugins = acl autocreate quota
OK, acl are doubled, but i hope that's no problem.
Udo
Am 06.07.2011 13:49, schrieb Tom Clark:
Hi Udo,
I'm using 2.0.8. I've managed to get the ACLs working by adding:
mail_plugins = acl protocol imap { mail_plugins = $mail_plugins imap_acl }
To the bottom of 10-mail.conf in /etc/dovecot/conf.d/ (not sure if this is technically the right place. It may be better adding them to the plugins file).
Then added the dovecot-acl files into the subdirectories.
The only problem I'm having is that I can't get dovecot to NOT display the top level shared folders.
Tom
Hi Tom,
Am 06.07.2011 14:38, schrieb Tom Clark:
Hi Udo,
My folders are public mailboxes rather than shared. Why don't you copy your namespace and dovecot-acl files here and we'll have a look at them? i like to do so - and during copy/paste i found the issue!!
Jul 06 15:06:41 imap(test4@example.org): Debug: acl vfile: reading file /var/data/public/kunde_2/dovecot-acl ... Jul 06 15:06:41 imap(test4@example.org): Debug: acl vfile: reading file /var/data/archiv/example.org/test4/public/kunde_2/dovecot-acl ... Jul 06 15:06:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_2
This came throug one link ( /var/data/archiv/example.org/test4/public -> /var/data/public ) I removed the link and now i can't see the public-folders below the users archiv-area. But below the public-namespace the ACLs now working!!
BTW. i think also with links should ACLs working.
Thanks.
Udo
Hi Udo,
Glad you got it working. I decided to do the list test. This is what I'm getting as a user not allowed access to the shared folders:
02 LIST "" *
- LIST (\HasNoChildren) "." "Drafts"
- LIST (\HasNoChildren) "." "Trash"
- LIST (\HasChildren) "." "INBOX"
- LIST (\HasChildren) "." "Shared.System"
- LIST (\HasChildren) "." "Shared.Support" 02 OK List completed.
As you can see I can list Shared.System and Shared.Support which is what I don't want!
Tom
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Udo Lembke Sent: 06 July 2011 3:05 PM To: Tom Clark Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Public Mailbox & ACLs
Hi Tom,
Am 06.07.2011 14:38, schrieb Tom Clark:
Hi Udo,
My folders are public mailboxes rather than shared. Why don't you copy your namespace and dovecot-acl files here and we'll have a look at them? i like to do so - and during copy/paste i found the issue!!
Jul 06 15:06:41 imap(test4@example.org): Debug: acl vfile: reading file /var/data/public/kunde_2/dovecot-acl ... Jul 06 15:06:41 imap(test4@example.org): Debug: acl vfile: reading file /var/data/archiv/example.org/test4/public/kunde_2/dovecot-acl ... Jul 06 15:06:41 imap(test4@example.org): Debug: acl: No lookup right to mailbox: public/kunde_2
This came throug one link ( /var/data/archiv/example.org/test4/public -> /var/data/public ) I removed the link and now i can't see the public-folders below the users archiv-area. But below the public-namespace the ACLs now working!!
BTW. i think also with links should ACLs working.
Thanks.
Udo
Hi Tom, any hints in the dovecot-log if you enable verbose logging?
info_log_path = /var/log/dovecot.log auth_verbose = yes auth_debug = yes mail_debug = yes
And how looks your acl-files?
Udo
Am 06.07.2011 16:39, schrieb Tom Clark:
Hi Udo,
Glad you got it working. I decided to do the list test. This is what I'm getting as a user not allowed access to the shared folders:
02 LIST "" *
- LIST (\HasNoChildren) "." "Drafts"
- LIST (\HasNoChildren) "." "Trash"
- LIST (\HasChildren) "." "INBOX"
- LIST (\HasChildren) "." "Shared.System"
- LIST (\HasChildren) "." "Shared.Support" 02 OK List completed.
As you can see I can list Shared.System and Shared.Support which is what I don't want!
Tom
participants (2)
-
Tom Clark
-
Udo Lembke