greetings ...
I got the following request from a customer where we run dovecot-2.3.15 on a debian server:
They have a public folder with all their project-related subfolders inside:
namespace {
location = maildir:/home/vmail/oeffentlich
prefix = Oeffentlich/
separator = /
subscriptions = yes
type = public
}
So far we don't have the mail_plugin ACL enabled.
They want to be able to create projectfolders that aren't move/delete/rename-able by the users, only by some admins.
But the users should be allowed to move mails between different projectfolders etc
As far as I understand we can do that with Dovecot ACLs (although I am still figuring out how to properly design them ...).
My questions:
- if I enable the mail_plugin for ACLs, does that in any way change the behavior of existing mailboxes?
afai understand: no. Only if ACL-lists exist in the various mailboxes, these get applied, right?
I don't want to break things, and I want to avoid additional complexity for the non-public user mailboxes etc
Maybe I can enable the plugin only for that public namespace?
- maybe someone has a link to a similar setup?
thanks in advance, Stefan
Am 30.07.21 um 11:53 schrieb Stefan G. Weichinger:
greetings ...
I got the following request from a customer where we run dovecot-2.3.15 on a debian server:
They have a public folder with all their project-related subfolders inside:
namespace {
location = maildir:/home/vmail/oeffentlich
prefix = Oeffentlich/
separator = /
subscriptions = yes
type = public
}
I tried to enable the acl plugin now, following
https://doc.dovecot.org/settings/plugin/acl/
I chose:
" plugin { # Without global ACLs: acl = vfile [..] } " # doveadm mailbox list -u myuser@domain.net
lists folder/mailbox "Oeffentlich"
but I get: # doveadm mailbox list -u myuser@domain.net
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
# ls -l /home/vmail/oeffentlich/
insgesamt 380
-rw------- 1 vmail vmail 0 Aug 2 19:40 dovecot-acl-list
If I turn off the ACL plugin, the folder and subfolders are there.
Setting also fails (executed as root):
# doveadm -Dv acl set "Oeffentlich" "myuser@domain.net" lookup read write write-seen write-deleted insert delete expunge create
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
It is located in " # ls -l /home/vmail/
insgesamt 160
[other domains]
drwx------ 2 vmail vmail 16384 Apr 21 2020 lost+found
drwx------ 3446 vmail vmail 135168 Aug 2 19:44 oeffentlich"
I also tried with "oeffentlich" .. lowercase.
pls advise ...
Am 02.08.21 um 19:55 schrieb Stefan G. Weichinger:
# doveadm mailbox list -u myuser@domain.net
lists folder/mailbox "Oeffentlich"
but I get: # doveadm mailbox list -u myuser@domain.net
Wrong paste here, sorry.
I meant
doveadm -Dv acl get -u myuser@domain.net "Oeffentlich"
->
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
Am 02.08.21 um 19:59 schrieb Stefan G. Weichinger:
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
Additional info from the conf:
namespace {
type = private
separator = /
prefix =#location defaults to mail_location.
inbox = yes}
namespace {
type = public
separator = /
prefix = Oeffentlich/
location = maildir:/home/vmail/oeffentlich
subscriptions = yes}
That "subscriptions = yes" is different from the example at
https://doc.dovecot.org/configuration_manual/shared_mailboxes/public_shared/...
(last block).
Am 03.08.21 um 13:31 schrieb Stefan G. Weichinger:
Am 02.08.21 um 21:07 schrieb Stefan G. Weichinger:
Am 02.08.21 um 19:59 schrieb Stefan G. Weichinger:
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
*bump* ... anyone?
Should I ask somewhere else?
I created another public folder on a test machine here.
# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.10
# Hostname: tx100.lan.oops.co.at
auth_mechanisms = plain login
disable_plaintext_auth = no
login_trusted_networks = 172.32.99.0/24
mail_location = maildir:~/Maildir
mail_plugins = " acl"
namespace {
hidden = no
inbox = no
location = maildir:/var/mail/public
prefix = public.
separator = .
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts}
mailbox Junk {
special_use = \Junk}
mailbox Sent {
special_use = \Sent}
mailbox "Sent Messages" {
special_use = \Sent}
mailbox Trash {
special_use = \Trash}
prefix =
}
passdb {
args = session=yes dovecot
driver = pam
}
plugin {
acl = vfile
}
protocols = " imap"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0600
user = postfix}
}
service imap-login {
inet_listener imap {
address = 172.32.99.6
port = 143}
process_min_avail = 1
}
ssl = no
userdb {
args = blocking=no
driver = passwd
}
protocol imap {
mail_plugins = " acl imap_acl"
}
protocol lda {
mail_plugins = " acl"
}
# ls -l /var/mail/
insgesamt 4272
drwxrwsr-x 2 root mail 4096 Aug 4 15:11 public
-rw------- 1 root mail 2294634 Apr 16 08:16 root
-rw------- 1 sgw mail 2062324 Apr 20 11:53 sgw
The mailbox "public" gets listed here: _expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/libdoveadm_mail_crypt_plugin.so: undefined symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so just ignore this message)
doveadm(sgw)<10564><>: Debug: auth USER input: sgw system_groups_user=sgw uid=1000 gid=1000 home=/home/sgw
doveadm(sgw): Debug: Effective uid=1000, gid=1000, home=/home/sgw
doveadm(sgw): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
doveadm(sgw): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
doveadm(sgw): Debug: maildir++: root=/home/sgw/Maildir, index=, indexpvt=, control=, inbox=/home/sgw/Maildir, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 1
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: Namespace : type=public, prefix=public., sep=., inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/var/mail/public
doveadm(sgw): Debug: maildir++: root=/var/mail/public, index=, indexpvt=, control=, inbox=, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 0
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: acl vfile: file /home/sgw/Maildir/dovecot-acl not found
[..]
doveadm(sgw): Debug: acl vfile: reading file /var/mail/public/dovecot-acl
doveadm(sgw): Debug: Namespace public.: Using permissions from /var/mail/public: mode=0775 gid=default
public # HERE INBOX
but this fails:
# doveadm -Dv acl set -u sgw "public" sgw lr
Debug: Loading modules from directory: /usr/lib/dovecot/modules
Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/libdoveadm_mail_crypt_plugin.so: undefined symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so just ignore this message)
doveadm(sgw)<10640><>: Debug: auth USER input: sgw system_groups_user=sgw uid=1000 gid=1000 home=/home/sgw
doveadm(sgw): Debug: Effective uid=1000, gid=1000, home=/home/sgw
doveadm(sgw): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
doveadm(sgw): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
doveadm(sgw): Debug: maildir++: root=/home/sgw/Maildir, index=, indexpvt=, control=, inbox=/home/sgw/Maildir, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 1
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: Namespace : type=public, prefix=public., sep=., inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/var/mail/public
doveadm(sgw): Debug: maildir++: root=/var/mail/public, index=, indexpvt=, control=, inbox=, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 0
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Error: Can't open mailbox public: Mailbox doesn't exist: public
I tried to "rm /var/mail/public/dovecot-acl-list" and edit /var/mail/public/dovecot-acl:
# cat /var/mail/public/dovecot-acl
anyone lr
user=sgw lrwstipekxa
No success.
What's my mistake?
tia
On 04/08/2021 15:18 Stefan G. Weichinger lists@xunil.at wrote:
Am 03.08.21 um 13:31 schrieb Stefan G. Weichinger:
Am 02.08.21 um 21:07 schrieb Stefan G. Weichinger:
Am 02.08.21 um 19:59 schrieb Stefan G. Weichinger:
... "Error: Can't open mailbox Oeffentlich: Mailbox doesn't exist: Oeffentlich"
*bump* ... anyone?
Should I ask somewhere else?
I created another public folder on a test machine here.
# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.10
# Hostname: tx100.lan.oops.co.at
auth_mechanisms = plain login
disable_plaintext_auth = no
login_trusted_networks = 172.32.99.0/24
mail_location = maildir:~/Maildir
mail_plugins = " acl"
namespace {
hidden = no
inbox = no
location = maildir:/var/mail/public
prefix = public.
separator = .
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts}
mailbox Junk {
special_use = \Junk}
mailbox Sent {
special_use = \Sent}
mailbox "Sent Messages" {
special_use = \Sent}
mailbox Trash {
special_use = \Trash}
prefix =
}
passdb {
args = session=yes dovecot
driver = pam
}
plugin {
acl = vfile
}
protocols = " imap"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix mode = 0600 user = postfix}
}
service imap-login {
inet_listener imap {
address = 172.32.99.6 port = 143}
process_min_avail = 1
}
ssl = no
userdb {
args = blocking=no
driver = passwd
}
protocol imap {
mail_plugins = " acl imap_acl"
}
protocol lda {
mail_plugins = " acl"
}
# ls -l /var/mail/
insgesamt 4272
drwxrwsr-x 2 root mail 4096 Aug 4 15:11 public
-rw------- 1 root mail 2294634 Apr 16 08:16 root
-rw------- 1 sgw mail 2062324 Apr 20 11:53 sgw
The mailbox "public" gets listed here: _expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/libdoveadm_mail_crypt_plugin.so: undefined symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so just ignore this message)
doveadm(sgw)<10564><>: Debug: auth USER input: sgw system_groups_user=sgw uid=1000 gid=1000 home=/home/sgw
doveadm(sgw): Debug: Effective uid=1000, gid=1000, home=/home/sgw
doveadm(sgw): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
doveadm(sgw): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
doveadm(sgw): Debug: maildir++: root=/home/sgw/Maildir, index=, indexpvt=, control=, inbox=/home/sgw/Maildir, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 1
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: Namespace : type=public, prefix=public., sep=., inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/var/mail/public
doveadm(sgw): Debug: maildir++: root=/var/mail/public, index=, indexpvt=, control=, inbox=, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 0
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: acl vfile: file /home/sgw/Maildir/dovecot-acl not found
[..]
doveadm(sgw): Debug: acl vfile: reading file /var/mail/public/dovecot-acl
doveadm(sgw): Debug: Namespace public.: Using permissions from /var/mail/public: mode=0775 gid=default
public # HERE INBOX
but this fails:
# doveadm -Dv acl set -u sgw "public" sgw lr
Debug: Loading modules from directory: /usr/lib/dovecot/modules
Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/libdoveadm_mail_crypt_plugin.so: undefined symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so just ignore this message)
doveadm(sgw)<10640><>: Debug: auth USER input: sgw system_groups_user=sgw uid=1000 gid=1000 home=/home/sgw
doveadm(sgw): Debug: Effective uid=1000, gid=1000, home=/home/sgw
doveadm(sgw): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
doveadm(sgw): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
doveadm(sgw): Debug: maildir++: root=/home/sgw/Maildir, index=, indexpvt=, control=, inbox=/home/sgw/Maildir, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 1
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Debug: Namespace : type=public, prefix=public., sep=., inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/var/mail/public
doveadm(sgw): Debug: maildir++: root=/var/mail/public, index=, indexpvt=, control=, inbox=, alt=
doveadm(sgw): Debug: acl: initializing backend with data: vfile
doveadm(sgw): Debug: acl: acl username = sgw
doveadm(sgw): Debug: acl: owner = 0
doveadm(sgw): Debug: acl vfile: Global ACLs disabled
doveadm(sgw): Error: Can't open mailbox public: Mailbox doesn't exist: public
I tried to "rm /var/mail/public/dovecot-acl-list" and edit /var/mail/public/dovecot-acl:
# cat /var/mail/public/dovecot-acl
anyone lr
user=sgw lrwstipekxa
No success.
What's my mistake?
Hi,
i would suggest using 2.3.15 also for testing.
It seems to me that you are trying to use the namespace prefix itself as mailbox rather than an actual mailbox ("public.foo" for example).
Did you see these docs:
- https://doc.dovecot.org/configuration_manual/shared_mailboxes/public_shared/...
- https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
Markus
tia
Am 05.08.21 um 10:00 schrieb Markus Valentin:
Hi,
i would suggest using 2.3.15 also for testing.
Will do, thanks
It seems to me that you are trying to use the namespace prefix itself as mailbox rather than an actual mailbox ("public.foo" for example).
Yes, that's also my assumption.
Did you see these docs:
Been there 10 times ;-) to recheck my settings.
not for a long time
How would I proceed to turn on ACLs for an existing public namespace? How to apply the "default" ACLs?
Create acl-files in all first level mailboxes?
There are ~5500 directories in there, I have to make sure to not break things.
The main goal is:
only allow some admins to create and rename project-mailboxes
the rest of the users should not be able to create/move/remove these mailboxes, but should be able to move mails between them
thanks
I now solved most of my problems here and have a test setup that does what it should do.
We only hit the issue that deleting a folder from the public namespace fails because of this issue:
https://dovecot.org/list/dovecot/2011-May/059315.html
That is 10 years old ... is there a valid solution maybe?
(yes, I will try to find something as well)
We currently use a global ACL file and have 3 users in with full "lrwstipekxa" permissions.
Toggling off thunderbird's use of Trash isn't really wanted ...
participants (2)
-
Markus Valentin
-
Stefan G. Weichinger