[Dovecot] Permissions in shared folders
Hi,
On my mail server I want to implement shared folders for each workgroup where there are many workgroups.
One way would be to create a separate namespace for each workgroup. However, this does not scale well so I decided to use a single Shared mailbox and use ACLs:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared }
Each workgroup should get a subfolder in "Shared". Until now, this works, I create .Group1, .Group2 and assign correct group permissions and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP folder. Since the permissions for /var/mail/shared/.Group1 are correct (writeable to group1 and the user is member of group1 and 'k' ACL permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather a folder inside /var/mail/shared
However, the user does (and should) not have write permissions to /var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
The one option is to make /var/mail/shared world-writeable - which is not really a good option.
A second option might be to use ACLs and give each group write permissions to /var/mail/shared. However, not even this seems very "clean" to me.
What is the best way to handle this?
Best regards, Luke
Dear list,
A dumb question: What exactly is the effect of the separator?
Is it also used to separate in the underlying file system? I.e. when I have the separator '/', the IMAP folder Sent/Jan is physically stored as
/home/lukas/Maildir/.Send/Jan/cur
? If this is true this would greatly solve my problem described at the bottom.
I have tried it myself, however, dovecot 1.2 does not allow to create a namespace with a separator different than my default namespace...
If this works, is there a convenient migration procedure possible to migrate from . to /? The Wiki just mentions the other way (/ --> .).
Best regards, Luke
Am 08.02.2011 11:33, schrieb Lukas Haase:
Hi,
On my mail server I want to implement shared folders for each workgroup where there are many workgroups.
One way would be to create a separate namespace for each workgroup. However, this does not scale well so I decided to use a single Shared mailbox and use ACLs:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared }
Each workgroup should get a subfolder in "Shared". Until now, this works, I create .Group1, .Group2 and assign correct group permissions and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP folder. Since the permissions for /var/mail/shared/.Group1 are correct (writeable to group1 and the user is member of group1 and 'k' ACL permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather a folder inside /var/mail/shared
However, the user does (and should) not have write permissions to /var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
The one option is to make /var/mail/shared world-writeable - which is not really a good option.
A second option might be to use ACLs and give each group write permissions to /var/mail/shared. However, not even this seems very "clean" to me.
What is the best way to handle this?
Best regards, Luke
On 02/08/2011 08:54 AM, Lukas Haase wrote:
Dear list,
A dumb question: What exactly is the effect of the separator?
Is it also used to separate in the underlying file system? I.e. when I have the separator '/', the IMAP folder Sent/Jan is physically stored as
As far as I understand, the separator is used in the context of IMAP only, and not the file system.
So a client using IMAP will open Folder1/subfolder or Folder1.subfolder depending on the separator.
Somebody can correct me if I'm wrong, but I don't believe it has an effect on the backend (besides disallowing the use of that character in a folder name).
Am 08.02.2011 18:14, schrieb Willie Gillespie:
On 02/08/2011 08:54 AM, Lukas Haase wrote:
Dear list,
A dumb question: What exactly is the effect of the separator?
Is it also used to separate in the underlying file system? I.e. when I have the separator '/', the IMAP folder Sent/Jan is physically stored as
As far as I understand, the separator is used in the context of IMAP only, and not the file system.
Dear Willie,
So if I understand correctly, if I set '/' as separator, the Maildir layout will still be
.Folder1.subfolder
?
Thank you for this hint, I think this is clear now.
[...] Somebody can correct me if I'm wrong, but I don't believe it has an effect on the backend (besides disallowing the use of that character in a folder name).
Thank you for your reply!
Regards, Luke
On 02/08/2011 03:33 AM, Lukas Haase wrote:
Hi,
On my mail server I want to implement shared folders for each workgroup where there are many workgroups.
I did something similar with my small set up. A shared location for each work group. I set things up a little differently though. Instead of a public namespace, I made a shared namespace.
However, this entailed making a "user" for each work group which would share its folders with the appropriate group. Then I could set the ACLs to allow them to create folders, etc. and on the file system, they are stored in separate places.
On 8.2.2011, at 12.33, Lukas Haase wrote:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
}
Each workgroup should get a subfolder in "Shared". Until now, this works, I create .Group1, .Group2 and assign correct group permissions and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP folder. Since the permissions for /var/mail/shared/.Group1 are correct (writeable to group1 and the user is member of group1 and 'k' ACL permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather a folder inside /var/mail/shared
Yep.
However, the user does (and should) not have write permissions to /var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
On 02/08/2011 10:39 AM, Timo Sirainen wrote:
On 8.2.2011, at 12.33, Lukas Haase wrote:
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
Ah, didn't know about LAYOUT. That's good to know.
Dear Timo,
Thank you for your advice!
Am 08.02.2011 18:39, schrieb Timo Sirainen:
On 8.2.2011, at 12.33, Lukas Haase wrote:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the subscriptions (I can not use "subscriptions=no" because my private namespace is "INDEX." and not empty) and therefore I use it.
Furthermore, according to the Wiki, INDEX can be omitted if all users have write permissions because this way the index file is shared among all users.
However, I can also set CONTROL *and* INDEX. I think there is nothing wrong about it, isn't it?
[...] location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
Wooow, great! Thank you very much! I found very few documentation (although it is mentioned in the Wiki) on it so I think that is the reason why I did not know it.
Thank you very much!
Regards, Luke
On 9.2.2011, at 0.20, Lukas Haase wrote:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the subscriptions (I can not use "subscriptions=no" because my private namespace is "INDEX." and not empty) and therefore I use it.
You can create a prefix="" namespace with list=no hidden=yes where the subscriptions will be saved.
Furthermore, according to the Wiki, INDEX can be omitted if all users have write permissions because this way the index file is shared among all users.
You can't share index files without sharing control files, otherwise they'll be out of sync (IMAP UID <-> maildir filename mapping is only in dovecot-uidlist control file).
However, I can also set CONTROL *and* INDEX. I think there is nothing wrong about it, isn't it?
Yes, but then if any keywords (= custom flags = labels = ..) are used, they're not shared between users. Other users instead will see keywords like "Unknown-1".
Dear Timo,
Am 08.02.2011 23:48, schrieb Timo Sirainen:
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the subscriptions (I can not use "subscriptions=no" because my private namespace is "INDEX." and not empty) and therefore I use it. [...] You can create a prefix="" namespace with list=no hidden=yes where
On 9.2.2011, at 0.20, Lukas Haase wrote: the subscriptions will be saved.
Great hint! This works!
For the archive:
namespace private { separator = . prefix =. inbox = no list = no hidden = yes location = maildir:~/Maildir-root subscriptions = yes }
The subscriptions file for the public namespaces are not saved in ~/Maildir-root.
[...] Yes, but then if any keywords (= custom flags = labels = ..) are used, they're not shared between users. Other users instead will see keywords like "Unknown-1".
I re-read the Wiki again and now I understand it.
The usual option will be using dovecot-shared and INDEX=~/Maildir/... for private Seen flags and index, no CONTROL for shared keywords and subscriptions = no for private subscriptions in the private parent namespace.
Thank you very much for these tipps!
Regards, Luke
participants (3)
-
Lukas Haase
-
Timo Sirainen
-
Willie Gillespie