shared folder name or public folder with mail address
Hello!
we are about to move from cyrus to dovecot and have one open issue for that migration. With cyrus we have "shared/" folders with a name that is self defined like shared/project-xyz but the email address for direct delivery to that folder my be different (not project-xyz@domain.com).
With dovecot we try to have it similar (at least how the user sees it in the client) like it is now.
When configuring a namespace of type=shared, I see in the docs the the prefix can be configured with %%u , %%n or %%d. But is it possible to configure the name different to the email address? E.g. to hide the email address of that folder and show a nice name instead?
I also thought about using public namespace instead. Does this make sense here? With public (maybe configured with prefix=shared/) folder I can set any name as subdir in prefix, right? So would this be more like what we have with cyrus shared folder?
If so, how could these public folders have an email address for direct mail delivery into? Can something like a global sieve rule do that? Or can a public folder have an email address?
Thanks in advance. Armin
On 14 Feb 2020, at 11:06, Armin Schindler wrote:
Hello!
we are about to move from cyrus to dovecot and have one open issue for that migration. With cyrus we have "shared/" folders with a name that is self defined like shared/project-xyz but the email address for direct delivery to that folder my be different (not project-xyz@domain.com).
With dovecot we try to have it similar (at least how the user sees it in the client) like it is now.
When configuring a namespace of type=shared, I see in the docs the the prefix can be configured with %%u , %%n or %%d. But is it possible to configure the name different to the email address? E.g. to hide the email address of that folder and show a nice name instead?
I also thought about using public namespace instead. Does this make sense here? With public (maybe configured with prefix=shared/) folder I can set any name as subdir in prefix, right? So would this be more like what we have with cyrus shared folder?
If so, how could these public folders have an email address for direct mail delivery into? Can something like a global sieve rule do that? Or can a public folder have an email address?
Thanks in advance. Armin
Hi, we went through this some years ago. It is a bit tricky in the details. Involved is postfix, public namespace, subscriptions, acl, sieve.
We found a quite comprehensive solution so far. It is working similar to Cyrus shared folder. Do not mix the names. Cyrus „shared“ folders are „public“ folders in Dovecot. Dovecot „shared“ folders are personally shared folders from one user to another.
For our new setup (planned with CentOS 8, waiting for the official repo for the latest dovecot version…) we have a prototype on Debian base with the latest version of Dovecot. In opposite to our current solution we will implement global acls with user and groups from LDAP. This is very nice.
Some elements:
Global ACL:
[..]
Newsletter group=administrator lrwstipekxa
Newsletter/* group=team lrwstipe
Newsletter/* user=name@domain.tld lrwstipe
[…]
Public folder:
namespace {
type = public
prefix = Newsletter/
separator = /
location =
maildir:/var/vmail/public/$DOMAIN/newsletter:LAYOUT=fs:INDEXPVT=~/public/$DOMAIN/newsletter
subscriptions = no
hidden = no
list = children
}
Subscriptions (! This one was tricky)
namespace subscriptions {
subscriptions = yes
prefix =
separator = /
list = no
hidden = yes
}
namespace inbox {
inbox = yes
separator = /
prefix = INBOX/
subscriptions = no
[…]
„Dovecot“ Shared folder (optional):
namespace shared {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%h/:INDEXPVT=~/shared/%%u
list = children
subscriptions = no
}
The sorting in the according public folder happens in a global sieve script before user scripts are fireing. It is combined with the ‚+‘ notation in postfix for sub addresses and an special ‚listadm‘ user
postfix:
listadm+Verteiler/info@$DOMAIN
The sieve script is then reading the generated address and delivers it into the according public folder. We learned a lot about sieve scripting with this task :-)
sieve_before = /var/vmail/sieve/global/global-before.sieve
[…]
More details would be to much here.
To be honest, we needed some time to get it done properly. It is a combination of features and A LOT OF testing and analysing the behaviour of postfix/dovecot/public-folder/sieve/acl. For now we have a Public folder setup which is as nice like it is with Cyrus. With Cyrus this issue is less complex to implement.
Maybe this helps a bit. Take exclusivly one to two weeks for this task and read and test a lot! :-)
Tobias
-- collect@shift.agency
On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote:
Hello! we are about to move from cyrus to dovecot and have one open issue for that migration. With cyrus we have "shared/" folders with a name that is self defined like shared/project-xyz but the email address for direct delivery to that folder my be different (not project-xyz@domain.com <mailto:project-xyz@domain.com>). With dovecot we try to have it similar (at least how the user sees it in the client) like it is now. When configuring a namespace of type=shared, I see in the docs the the prefix can be configured with %%u , %%n or %%d. But is it possible to configure the name different to the email address? E.g. to hide the email address of that folder and show a nice name instead? I also thought about using public namespace instead. Does this make sense here? With public (maybe configured with prefix=shared/) folder I can set any name as subdir in prefix, right? So would this be more like what we have with cyrus shared folder? If so, how could these public folders have an email address for direct mail delivery into? Can something like a global sieve rule do that? Or can a public folder have an email address? Thanks in advance. ArminHi, we went through this some years ago. It is a bit tricky in the details. Involved is postfix, public namespace, subscriptions, acl, sieve.
We found a quite comprehensive solution so far. It is working similar to Cyrus shared folder. Do not mix the names. Cyrus „shared“ folders are „public“ folders in Dovecot. Dovecot „shared“ folders are personally shared folders from one user to another.
For our new setup (planned with CentOS 8, waiting for the official repo for the latest dovecot version…) we have a prototype on Debian base with the latest version of Dovecot. In opposite to our current solution we will implement global acls with user and groups from LDAP. This is very nice.
Wow, thanks. This seem to be exactly what I need to go on. Our base system is a Univention UCS, so LDAP users and groups is what we already have working :-)
With your elements I think we really could have the cyrus shared folders with dovecot by using a namespace of type=public but with prefix=shared/ (we might use type=shared with prefix=usershared/ later).
Or is the idea of just *one* public folder with name "shared" and with subdirs for different "projects/departments/topics" not working as expected?
ACL is something I didn't look at yet. Is it possible to set different permissions for the folders in the public prefix like /shared/dir1 , /shared/dir2 , etc. or even for sub-subfolders? Global ACLs aren't neccessary when using folder acls, right?
Armin
Some elements:
Global ACL: | [..] Newsletter group=administrator lrwstipekxa Newsletter/* group=team lrwstipe Newsletter/* user=name@domain.tld lrwstipe […] |
Public folder: | namespace { type = public prefix = Newsletter/ separator = / location = maildir:/var/vmail/public/$DOMAIN/newsletter:LAYOUT=fs:INDEXPVT=~/public/$DOMAIN/newsletter subscriptions = no hidden = no list = children } |
Subscriptions (! This one was tricky)
namespace subscriptions { subscriptions = yes prefix = separator = / list = no hidden = yes } namespace inbox { inbox = yes separator = / prefix = INBOX/ subscriptions = no […]„Dovecot“ Shared folder (optional): | namespace shared { type = shared separator = / prefix = Shared/%%u/ location = maildir:%%h/:INDEXPVT=~/shared/%%u list = children subscriptions = no } |
The sorting in the according public folder happens in a global sieve script before user scripts are fireing. It is combined with the ‚+‘ notation in postfix for sub addresses and an special ‚listadm‘ user
postfix: | listadm+Verteiler/info@$DOMAIN |
The sieve script is then reading the generated address and delivers it into the according public folder. We learned a lot about sieve scripting with this task :-)
|sieve_before = /var/vmail/sieve/global/global-before.sieve […] |
More details would be to much here.
To be honest, we needed some time to get it done properly. It is a combination of features and A LOT OF testing and analysing the behaviour of postfix/dovecot/public-folder/sieve/acl. For now we have a Public folder setup which is as nice like it is with Cyrus. With Cyrus this issue is less complex to implement.
Maybe this helps a bit. Take exclusivly one to two weeks for this task and read and test a lot! :-)
Tobias
-- collect@shift.agency mailto:collect@shift.agency
On 14 Feb 2020, at 14:05, Armin Schindler wrote:
On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote:
Hello!
[…]
For our new setup (planned with CentOS 8, waiting for the official repo for the latest dovecot version…) we have a prototype on Debian base with the latest version of Dovecot. In opposite to our current solution we will implement global acls with user and groups from LDAP. This is very nice.
Wow, thanks. This seem to be exactly what I need to go on. Our base system is a Univention UCS, so LDAP users and groups is what we already have working :-)
With your elements I think we really could have the cyrus shared folders with dovecot by using a namespace of type=public but with prefix=shared/ (we might use type=shared with prefix=usershared/ later).
There is not something like one way do to this. You could also make your life easier and choose to create a „Share user“ which is only there to share folders. This will then be Dovecot „Shared folders“ shared by this pseudo user to other users. You then could use Roundcube or such to maintain acl with this pseudo user. But we did not follow this path then for reasons i cannot remember anymore :)
For each Public folder we have a defined namespace. „Newsletter“, „Client1“, „Client2“ etc. We have many, around 30 or so. ACL goes on this namespace (namespace/*). I guess ACL are first match. Each namespace has its own prefix. (eq. prefix = Newsletter/, prefix = Client1 etc.) User can subscribe namespace by namespace acl assumed.
But as i sad - by writing this i get nervous, cause i now that you must immerse deeply with this topic. Otherwise you will not get happy :)
Tobias
Or is the idea of just *one* public folder with name "shared" and with subdirs for different "projects/departments/topics" not working as expected?
ACL is something I didn't look at yet. Is it possible to set different permissions for the folders in the public prefix like /shared/dir1 , /shared/dir2 , etc. or even for sub-subfolders? Global ACLs aren't neccessary when using folder acls, right?
Armin […]
-- collect@shift.agency
On 2/14/20 2:23 PM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 14:05, Armin Schindler wrote:
On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote:
Hello!
[…]
For our new setup (planned with CentOS 8, waiting for the official repo for the latest dovecot version…) we have a prototype on Debian base with the latest version of Dovecot. In opposite to our current solution we will implement global acls with user and groups from LDAP. This is very nice.
Wow, thanks. This seem to be exactly what I need to go on. Our base system is a Univention UCS, so LDAP users and groups is what we already have working :-)
With your elements I think we really could have the cyrus shared folders with dovecot by using a namespace of type=public but with prefix=shared/ (we might use type=shared with prefix=usershared/ later).
There is not something like one way do to this. You could also make your life easier and choose to create a „Share user“ which is only there to share folders. This will then be Dovecot „Shared folders“ shared by this pseudo user to other users. You then could use Roundcube or such to maintain acl with this pseudo user. But we did not follow this path then for reasons i cannot remember anymore :)
For each Public folder we have a defined namespace. „Newsletter“, „Client1“, „Client2“ etc. We have many, around 30 or so. ACL goes on this namespace (namespace/*). I guess ACL are first match. Each namespace has its own prefix. (eq. prefix = Newsletter/, prefix = Client1 etc.) User can subscribe namespace by namespace acl assumed.
What is the benefit using own namespace for each public folder? If the config is equal for all folders, wouldn't one namespace with subfolders be the same? One public namespace would look like it is with cyrus in the client: one "shared/" folder to open/close.
Armin
Armin Schindler armin.schindler@sysgo.com hat am 14. Februar 2020 15:02 geschrieben:
One public namespace would look like it is with cyrus in the client: one "shared/" folder to open/close.
That's right, but there is one important difference: Cyrus sorts those folders alphabetically, Dovecot doesn't. Dovecot guys say it's the client's job and that's also what the RFC says. So if you have many subfolders, e.g. one per order it can be a bit confusing. Thunderbird is sorting those folders, but not always. It seems to depend on when you refreshed the list last time and if it was cached.
- Chris
Hello Chris,
On 15.02.2020 09:45, chris2014@postbox.xyz wrote:
Armin Schindler armin.schindler@sysgo.com hat am 14. Februar 2020 15:02 geschrieben:
One public namespace would look like it is with cyrus in the client: one "shared/" folder to open/close.
That's right, but there is one important difference: Cyrus sorts those folders alphabetically, Dovecot doesn't. Dovecot guys say it's the client's job and that's also what the RFC says. So if you have many subfolders, e.g. one per order it can be a bit confusing. Thunderbird is sorting those folders, but not always. It seems to depend on when you refreshed the list last time and if it was cached.
thanks for the hint. I will check this in our environment.
Armin
On 14 Feb 2020, at 15:02, Armin Schindler wrote:
On 2/14/20 2:23 PM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 14:05, Armin Schindler wrote:
On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote:
Hello!
[…]
For our new setup (planned with CentOS 8, waiting for the official repo for the latest dovecot version…) we have a prototype on Debian base with the latest version of Dovecot. In opposite to our current solution we will implement global acls with user and groups from LDAP. This is very nice.
Wow, thanks. This seem to be exactly what I need to go on. Our base system is a Univention UCS, so LDAP users and groups is what we already have working :-)
With your elements I think we really could have the cyrus shared folders with dovecot by using a namespace of type=public but with prefix=shared/ (we might use type=shared with prefix=usershared/ later).
There is not something like one way do to this. You could also make your life easier and choose to create a „Share user“ which is only there to share folders. This will then be Dovecot „Shared folders“ shared by this pseudo user to other users. You then could use Roundcube or such to maintain acl with this pseudo user. But we did not follow this path then for reasons i cannot remember anymore :)
For each Public folder we have a defined namespace. „Newsletter“, „Client1“, „Client2“ etc. We have many, around 30 or so. ACL goes on this namespace (namespace/*). I guess ACL are first match. Each namespace has its own prefix. (eq. prefix = Newsletter/, prefix = Client1 etc.) User can subscribe namespace by namespace acl assumed.
What is the benefit using own namespace for each public folder? If the config is equal for all folders, wouldn't one namespace with subfolders be the same? One public namespace would look like it is with cyrus in the client: one "shared/" folder to open/close.
Yes, this was a misunderstanding - we have a lot of subfolders per namespace. The subfolders have ACLs.
-- collect@shift.agency
On 14.02.2020 11:44, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote: ...
The sorting in the according public folder happens in a global sieve script before user scripts are fireing. It is combined with the ‚+‘ notation in postfix for sub addresses and an special ‚listadm‘ user
postfix: | listadm+Verteiler/info@$DOMAIN |
The sieve script is then reading the generated address and delivers it into the according public folder. We learned a lot about sieve scripting with this task :-)
|sieve_before = /var/vmail/sieve/global/global-before.sieve […] |
More details would be to much here.
To be honest, we needed some time to get it done properly. It is a combination of features and A LOT OF testing and analysing the behaviour of postfix/dovecot/public-folder/sieve/acl.
the sieve part seems to be very tricky. My test is now working with a public folder and I have a "sieve_before" script in place which works for rules of the private namespace.
But when the rule shall "fileinto" a public folder, the mail isn't filtered (moved) and syslog says dovecot: lmtp(.): Error ... sieve...: Mailbox doesn't exist.
After some tests I found out it always looks in the private (or shared) namespace for that specfied folder. Do I miss a config option to let dovecot sieve "fileinto" a public namespace folder? I use dovecot version 2.2.13.
Armin
On 15 Feb 2020, at 10:43, Armin Schindler wrote:
On 14.02.2020 11:44, Tobias Kirchhofer wrote:
On 14 Feb 2020, at 11:06, Armin Schindler wrote: ...
The sorting in the according public folder happens in a global sieve script before user scripts are fireing. It is combined with the ‚+‘ notation in postfix for sub addresses and an special ‚listadm‘ user
postfix: | listadm+Verteiler/info@$DOMAIN |
The sieve script is then reading the generated address and delivers it into the according public folder. We learned a lot about sieve scripting with this task :-)
|sieve_before = /var/vmail/sieve/global/global-before.sieve […] |
More details would be to much here.
To be honest, we needed some time to get it done properly. It is a combination of features and A LOT OF testing and analysing the behaviour of postfix/dovecot/public-folder/sieve/acl.
the sieve part seems to be very tricky. My test is now working with a public folder and I have a "sieve_before" script in place which works for rules of the private namespace.
But when the rule shall "fileinto" a public folder, the mail isn't filtered (moved) and syslog says dovecot: lmtp(.): Error ... sieve...: Mailbox doesn't exist.
After some tests I found out it always looks in the private (or shared) namespace for that specfied folder. Do I miss a config option to let dovecot sieve "fileinto" a public namespace folder? I use dovecot version 2.2.13.
We „fileinto“ in this manner :
fileinto „Namespace/folder“;
The procedure in our setup is like this:
- Virtual alias for each public-Folder email address within postfix:
Pattern: folder@domain.tld listadm+Namespace/folder@domain.tld Example: info@domain.tld listadm+Verteiler/info@domain.tld
Verteiler is the namespace, info the mailbox. listadm is a pseudo user in this context which holds the ACL for fileinto the resulting mailbox with proper permissions.
- Disassemble the virtual alias address with sieve:
Excerpt of the script. It is actually more code because we sort out spam for public folder. German comments, sorry.
# Hat Subadresse?
if envelope :matches :detail "to" "*"
{
# Adressaufbau: listadm+Namespace/liste@
# ${liste} wird Namespace/box
set "liste" "${1}";
}
[…]
fileinto "${liste}";
I can send you the whole script if you need.
Greetings!
Tobias
-- collect@shift.agency
On 15.02.2020 12:16, Tobias Kirchhofer wrote: ...
the sieve part seems to be very tricky. My test is now working with a public folder and I have a "sieve_before" script in place which works for rules of the private namespace. But when the rule shall "fileinto" a public folder, the mail isn't filtered (moved) and syslog says dovecot: lmtp(.): Error ... sieve...: Mailbox doesn't exist. After some tests I found out it always looks in the private (or shared) namespace for that specfied folder. Do I miss a config option to let dovecot sieve "fileinto" a public namespace folder? I use dovecot version 2.2.13.We „fileinto“ in this manner :
|fileinto „Namespace/folder“; |
This is what is not working for me.
Your procedure below is good and maybe I will use parts of it, thank you. But this part is working for already. The incoming mail is sent to dovecot (postfix virtual alias working) and the match in sieve script is correct too. The problem is that dovecot (sieve) refuses to fileinto "Namespace/folder" because it seems it wants to store the mail in private namespace with "folder1/folder2" instead. The first part of the fileinto path isn't used as namespace name. Is there a config option for this behaviour?
Armin
The procedure in our setup is like this:
- Virtual alias for each public-Folder email address within postfix:
Pattern: folder@domain.tld mailto:folder@domain.tld listadm+Namespace/folder@domain.tld mailto:folder@domain.tld Example: info@domain.tld mailto:info@domain.tld listadm+Verteiler/info@domain.tld mailto:info@domain.tld
Verteiler is the namespace, info the mailbox. listadm is a pseudo user in this context which holds the ACL for fileinto the resulting mailbox with proper permissions.
- Disassemble the virtual alias address with sieve:
Excerpt of the script. It is actually more code because we sort out spam for public folder. German comments, sorry.
|# Hat Subadresse? if envelope :matches :detail "to" "*" { # Adressaufbau: listadm+Namespace/liste@ # ${liste} wird Namespace/box set "liste" "${1}"; } […] fileinto "${liste}"; |
I can send you the whole script if you need.
On 15 Feb 2020, at 12:27, Armin Schindler wrote:
On 15.02.2020 12:16, Tobias Kirchhofer wrote: ...
the sieve part seems to be very tricky. My test is now working with a public folder and I have a "sieve_before" script in place which works for rules of the private namespace. But when the rule shall "fileinto" a public folder, the mailisn't filtered (moved) and syslog says dovecot: lmtp(.): Error ... sieve...: Mailbox doesn't exist.
After some tests I found out it always looks in the private (orshared) namespace for that specfied folder. Do I miss a config option to let dovecot sieve "fileinto" a public namespace folder? I use dovecot version 2.2.13.
We „fileinto“ in this manner :
|fileinto „Namespace/folder“; |
This is what is not working for me.
Your procedure below is good and maybe I will use parts of it, thank you. But this part is working for already. The incoming mail is sent to dovecot (postfix virtual alias working) and the match in sieve script is correct too. The problem is that dovecot (sieve) refuses to fileinto "Namespace/folder" because it seems it wants to store the mail in private namespace with "folder1/folder2" instead. The first part of the fileinto path isn't used as namespace name. Is there a config option for this behaviour?
Maybe you are missing an include?
We have:
require "fileinto";
require "mailbox";
require "envelope";
require "subaddress";
require "variables";
require "regex";
require "editheader";
require "include";
In dovecot.conf* i found no directly related settings. Just the usual sieve settings explained here https://wiki.dovecot.org/Pigeonhole/Sieve/Configuration
Can you see the Public namespace and the folder in your MUA or via telnet?
Are you sure the ACL are correct? Can be that the error message „Mailbox doesn't exist“ is misleading and the permissions are not correct.
Here you can see how to debug if not already https://wiki.dovecot.org/Pigeonhole/Sieve/Configuration#Trace_Debugging
Armin
The procedure in our setup is like this:
- Virtual alias for each public-Folder email address within postfix:
Pattern: folder@domain.tld mailto:folder@domain.tld listadm+Namespace/folder@domain.tld mailto:folder@domain.tld Example: info@domain.tld mailto:info@domain.tld listadm+Verteiler/info@domain.tld mailto:info@domain.tld
Verteiler is the namespace, info the mailbox. listadm is a pseudo user in this context which holds the ACL for fileinto the resulting mailbox with proper permissions.
- Disassemble the virtual alias address with sieve:
Excerpt of the script. It is actually more code because we sort out spam for public folder. German comments, sorry.
|# Hat Subadresse? if envelope :matches :detail "to" "*" { # Adressaufbau: listadm+Namespace/liste@ # ${liste} wird Namespace/box set "liste" "${1}"; } […] fileinto "${liste}"; |
I can send you the whole script if you need.
-- collect@shift.agency
On 15.02.2020 14:45, Tobias Kirchhofer wrote:
On 15 Feb 2020, at 12:27, Armin Schindler wrote:
On 15.02.2020 12:16, Tobias Kirchhofer wrote: ... the sieve part seems to be very tricky. My test is now working with a public folder and I have a "sieve_before" script in place which works for rules of the private namespace. But when the rule shall "fileinto" a public folder, the mail isn't filtered (moved) and syslog says dovecot: lmtp(.): Error ... sieve...: Mailbox doesn't exist. After some tests I found out it always looks in the private (or shared) namespace for that specfied folder. Do I miss a config option to let dovecot sieve "fileinto" a public namespace folder? I use dovecot version 2.2.13. We „fileinto“ in this manner : |fileinto „Namespace/folder“; | This is what is not working for me. Your procedure below is good and maybe I will use parts of it, thank you. But this part is working for already. The incoming mail is sent to dovecot (postfix virtual alias working) and the match in sieve script is correct too. The problem is that dovecot (sieve) refuses to fileinto "Namespace/folder" because it seems it wants to store the mail in private namespace with "folder1/folder2" instead. The first part of the fileinto path isn't used as namespace name. Is there a config option for this behaviour?...
Are you sure the ACL are correct? Can be that the error message „Mailbox doesn't exist“ is misleading and the permissions are not correct.
You are correct. The message is misleading. And even worse, if I used fileinto :create "...." the folder was created in private namespace then.
The shared and public folders need of course the anyone post right to let fileinto work.
Now it works. Thank you Tobias.
Armin
On 15 Feb 2020, at 19:04, Armin Schindler wrote:
The shared and public folders need of course the anyone post right to let fileinto work.
Or you have a special „list user“ which has the appropriate permissions - depends all on the use case.
Now it works. Thank you Tobias.
Well done! :)
-- collect@shift.agency
participants (4)
-
Armin Schindler
-
Armin Schindler
-
chris2014@postbox.xyz
-
Tobias Kirchhofer