[Dovecot] Shared mailbox ACL
Hi everyone,
I am having some trouble with shared folders in trying to replicate how we use them with a Cyrus backend.
The auth database is Samba4 active directory, so I am using an LDAP lookup to authenticate and forcing the UID and GID to be all the same. I have a post-login script that sets the group ACL, and this seems to be working fine. /mnt/mail is an NFS mount to a FreeNAS machine, and there is only one Dovecot server connecting to that NFS share.
I have been able to get the inbox of the shared mailbox to appear in Thunderbird, but I would like to allow all subfolders to have the same ACLs. Is there a way to do this without having an ACL entry for each folder in the dovecot-acl file? I also cannot seem to create folders under the shared inbox.
Thanks.
Below is the output of /mnt/mail/acl/shared-mailboxes shared/shared-boxes/group/accounting/accounting 1 shared/shared-boxes/group/team1/team1 1 shared/shared-boxes/group/team2/team2 1
Below is the output of dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-22-pve x86_64 Debian 7.3 nfs auth_mechanisms = plain login auth_username_format = %n mail_debug = yes mail_location = maildir:/mnt/mail/mailboxes/%n/Maildir:INDEX=/var/local/dovecot-indexes/%n mail_plugins = acl mail_shared_explicit_inbox = no managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = yes location = maildir:/mnt/mail/mailboxes/%%n/Maildir:INDEX=/var/local/dovecot-shared/%%n prefix = ZGroup/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_defaults_from_inbox = yes acl_shared_dict = file:/mnt/mail/acl/shared-mailboxes sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap lmtp sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-postlogin { executable = script-login /usr/local/bin/postlogin.py user = vmail } service imap { executable = imap imap-postlogin } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = quota sieve } protocol lda { mail_plugins = quota sieve } protocol imap { mail_plugins = acl imap_acl }
On 24/01/2014, at 8:40 PM, Alex Ferrara <alex@receptiveit.com.au> wrote:
Hi everyone,
I am having some trouble with shared folders in trying to replicate how we use them with a Cyrus backend.
The auth database is Samba4 active directory, so I am using an LDAP lookup to authenticate and forcing the UID and GID to be all the same. I have a post-login script that sets the group ACL, and this seems to be working fine. /mnt/mail is an NFS mount to a FreeNAS machine, and there is only one Dovecot server connecting to that NFS share.
I have been able to get the inbox of the shared mailbox to appear in Thunderbird, but I would like to allow all subfolders to have the same ACLs. Is there a way to do this without having an ACL entry for each folder in the dovecot-acl file? I also cannot seem to create folders under the shared inbox.
Thanks.
Below is the output of /mnt/mail/acl/shared-mailboxes shared/shared-boxes/group/accounting/accounting 1 shared/shared-boxes/group/team1/team1 1 shared/shared-boxes/group/team2/team2 1
Below is the output of dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-22-pve x86_64 Debian 7.3 nfs auth_mechanisms = plain login auth_username_format = %n mail_debug = yes mail_location = maildir:/mnt/mail/mailboxes/%n/Maildir:INDEX=/var/local/dovecot-indexes/%n mail_plugins = acl mail_shared_explicit_inbox = no managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = yes location = maildir:/mnt/mail/mailboxes/%%n/Maildir:INDEX=/var/local/dovecot-shared/%%n prefix = ZGroup/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_defaults_from_inbox = yes acl_shared_dict = file:/mnt/mail/acl/shared-mailboxes sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap lmtp sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-postlogin { executable = script-login /usr/local/bin/postlogin.py user = vmail } service imap { executable = imap imap-postlogin } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = quota sieve } protocol lda { mail_plugins = quota sieve } protocol imap { mail_plugins = acl imap_acl }
Any ideas?
aF
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 24 Jan 2014, Alex Ferrara wrote:
I have been able to get the inbox of the shared mailbox to appear in Thunderbird, but I would like to allow all subfolders to have the same ACLs. Is there a way to do this without having an ACL entry for each folder in the dovecot-acl file?
No, currently you need one file per mailbox.
I also cannot seem to create foldersunder the shared inbox.
If the accessing user has the "k"-permission, there might be problems with the unix file permissions. Latter logs errors. I think I remember something that you cannot give ACLs to the top most root of some mail storages, e.g. in Maildir Maildir/dovecot-acl applies to the INBOX and there is no file for the "/" or something like that. Can you create a new mailbox below, say, the INBOX?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUudeO3D1/YhP6VMHAQJiuQf+I5dAE718UK+sUb+H77ddW8xXkSQ81s4P yFYs+kRbgsjFEztrGQoRno/IWJ4YGpdjBrj6cH4/MwT/iSIibGggCkkpLaU1RD0O Wgs+w58sCPwVQFiopTjSOA0ItwtKvedphX/0l2bDkH90mdIi/Ck9Ih6mSSk0t52Y 4pvGl1GvEWGl2jLYaJIiq+YP85nQlxkNC8nT7UbaexsVz9qPMVLPFU4So81aHvPI 5MYhhflIGMw11P+NrlAMrohJ8D1Gb6foEW5T8NmAp4qu2mataUvGx6/jcTlQxRLU 19uC93vb1Gbf3AN2U3tKF48iU2lVY2lW1PXkE/F66idRJSWe+AUsUQ== =XgAZ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 28 Jan 2014, Steffen Kaiser wrote:
On Fri, 24 Jan 2014, Alex Ferrara wrote:
I have been able to get the inbox of the shared mailbox to appear in Thunderbird, but I would like to allow all subfolders to have the same ACLs. Is there a way to do this without having an ACL entry for each folder in the dovecot-acl file?
No, currently you need one file per mailbox.
Oh, see http://hg.dovecot.org/dovecot-2.2/rev/9376bf098692 and the message from Thomas Leuxner "New global ACL mailbox pattern feature in HG"
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUude+3D1/YhP6VMHAQKapAgA3BB/FP1ET6I4Sm7WMBdyEdkSFXV6ZBoV Us/WREUzQrqxXH60k9ZJZjVqcWGqh0neY94CVVmFFw4Q/dPmHzI3Ud/64HzG01UH /xQkrCbVK/6ksAP2DnQH/tgk/gOY2eqwR1dN7DAsVKdptG7i2t28IcvKTRnAa/iF XXXHWnAcrHDl99JJSQ4ZxgETsfhHgUgnvu/kbOaXmTfNvTNU35osP+N3l5A0pGuB xdLTkRVKGpMdBhjOFwABMgpbDXzClNqoZozq9oeHLEAT4STFxZnQonHffMgpFp97 QO0h+q3MwHKdIAbtMqtKSVke0BQI6Ga3AVm4vOvR8DD3N10luj0grg== =Rw7v -----END PGP SIGNATURE-----
On 28/01/2014, at 6:37 PM, Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 24 Jan 2014, Alex Ferrara wrote:
I have been able to get the inbox of the shared mailbox to appear in Thunderbird, but I would like to allow all subfolders to have the same ACLs. Is there a way to do this without having an ACL entry for each folder in the dovecot-acl file?
No, currently you need one file per mailbox.
Thanks for the pointer Steffen. Since I am migrating from an established Cyrus installation, I thought that I would be smart about this and make a little script. I have made the script available at the bottom of this message if anyone is interested.
I also cannot seem to create foldersunder the shared inbox.
If the accessing user has the "k"-permission, there might be problems with the unix file permissions. Latter logs errors. I think I remember something that you cannot give ACLs to the top most root of some mail storages, e.g. in Maildir Maildir/dovecot-acl applies to the INBOX and there is no file for the "/" or something like that. Can you create a new mailbox below, say, the INBOX?
This is still a problem for me. I can create folders on subfolders of the shared folder, but not under the shared folder itself. I have set "mail_shared_explicit_inbox = no" so the shared folder is the inbox.
If I change "mail_shared_explicit_inbox = yes" then I can create folders underneath the inbox, but still not in the top level. Folders that are already there from the migration work fine. The current configuration I have does not have an inbox per shared mailbox, so I would prefer to replicate that if possible.
I am a little unsure what to try next as I have turned on debug logging and there is no entry in the logs when I unsuccessfully try to create a folder under the top level.
dupacl.sh
#!/bin/bash
IFS_BAK=$IFS IFS=" "
MAILROOT='/mnt/mail/mailboxes' MAILUSER='vmail' MAILGROUP='vmail' SHAREDFILE='/etc/dovecot/shared-mailboxes'
function usage { echo -e "Dovecot ACL tool\n" echo -e "The purpose of this tool is to clone the ACL of the inbox to all child folders\n" echo -e "$0 [ mailbox | -all | -new ]" exit 1 }
function cloneacl { MAILBOX="$MAILROOT/$1/Maildir" ACLFILE="$MAILBOX/dovecot-acl"
if [ -d "$MAILBOX" ]; then echo "Working on mailbox $1..."
# Make sure we have an ACL file
if [ -f "$ACLFILE" ]; then
if [ "$2" == "-new" ]; then
echo "Found ACL file in mailbox $1. Skipping"
return
fi
else
echo "ACL file does not exist. Creating one"
echo "group=$1 lrwstipekxa" > "$ACLFILE"
chown $MAILUSER:$MAILGROUP "$ACLFILE"
fi
# Copy the ACL file to sub directories
for dir in `find $MAILBOX -type d -name ".*"`; do
cp -av $MAILBOX/dovecot-acl "$dir/"
done
# Remove the dovecot-acl-list to make the mailboxes appear
if [ -f "$ACLFILE-list" ]; then
rm "$ACLFILE-list"
fielse echo "Mailbox $1 does not exist" exit 1 fi }
if [ "$1" == "-all" -o "$1" == "-new" ]; then
SHARED=grep shared/ "$SHAREDFILE" | cut -d / -f 4
for mailbox in $SHARED; do cloneacl $mailbox $1 done elif [ $1 ];then cloneacl $1 -single else usage fi
IFS=$IFS_BAK IFS_BAK=
participants (2)
-
Alex Ferrara
-
Steffen Kaiser