[Dovecot] issues with ACL and Public Namespaces
Hi all,
after configuring dovecot to serve private and Public Namespaces per domain with ACLs per shared folder, everything worked great:
In every shared folder I created a "dovecot-acl"-file with the permissions of every user:
user=user5@example.com user=user6@example.com lrwstiea
The subscriptions are handled with "subscriptions=no", so every local User can subscribe to shared folders as he likes. As the shared folders are managed via webinterface, the cronjob creating and deleting the folders also changes the subscriptions of every user, adding or removing the public folders as permissions are granted.
RoundCube Webmail, Thunderbird and Outlook have no problems accessing and using the public folders, but a customer has problems with his Mac: In Apple Mail the folders are not visible, even when subscriptions are previously set in another mailclient.
In RoundCube, I spottet another issue: subscribed public folders are usable in the "Mail"-area, but no public folder is listed in the "Folder"-settings - not even the already subscribed ones. Setting "list=yes" to the public namespace, RC lists only the prefix "shared" as a folder, but no subfolders - "list=children" shows no folder at all.
As I checked the rawlog and debug-infos with "mail_debug=yes", I saw the possible cause for my problems:
When checking the Folder Subscriptions in RoundCube, Dovecot tries to find an ACL file for the public folders, but does not check the public folders, but in the private Maildir:
Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Loading modules from directory: /usr/lib/dovecot/modules/imap Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib01_acl_plugin.so Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib20_autocreate_plugin.so Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib20_expire_plugin.so Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Effective uid=249, gid=249, home=/var/mail/vmail/example.com/user6/ Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: No acl_shared_dict setting - shared mailbox listing is disabled Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota root: name=INBOX backend=dict args=:proxy::quotadict Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=INBOX mailbox=* bytes=52428800 messages=0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=INBOX mailbox=Trash bytes=62914560 messages=0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota warning: bytes=49807360 (95%) messages=0 command=/usr/local/bin/quota-warning.sh 95 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota warning: bytes=41943040 (80%) messages=0 command=/usr/local/bin/quota-warning.sh 80 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota root: name=shared backend=dict args=example.com:ns=shared.:proxy::quotadict Oct 6 15:24:16 ipx02 dovecot: imap-login: Login: user=<user6@example.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=shared mailbox=* bytes=524288000 messages=0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): expire: pattern=Trash type=expunge secs=604800 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): expire: pattern=Spam type=expunge secs=2592000 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): dict quota: user=user6@example.com, uri=proxy::quotadict, noenforcing=0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): dict quota: user=example.com, uri=proxy::quotadict, noenforcing=0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Namespace: type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): maildir: data=~/Maildir Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): maildir++: root=/var/mail/vmail/example.com/user6//Maildir, index=, control=, inbox=/var/mail/vmail/example.com/user6//Maildir Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: initializing backend with data: vfile Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: acl username = user6@example.com Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: owner = 1 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: Global ACL directory: (null) Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Namespace: type=public, prefix=shared., sep=., inbox=no, hidden=no, list=yes, subscriptions=no Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): maildir: data=/var/mail/vmail/example.com/shared:INDEX=~/shared Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): maildir++: root=/var/mail/vmail/example.com/shared, index=/var/mail/vmail/example.com/user6//shared, control=, inbox= Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: initializing backend with data: vfile Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: acl username = user6@example.com Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl: owner = 0 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: Global ACL directory: (null) Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Namespace : Using permissions from /var/mail/vmail/example.com/user6//Maildir: mode=0700 gid=-1 Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.Sent/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.Spam/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.Trash/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: reading file /var/mail/vmail/example.com/user6//Maildir/dovecot-acl Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.shared.Transfer/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.shared.Transfer.Test1/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Disconnected: Logged out bytes=73/819 (last three lines are important)
When checking the Folder itself, Dovecot checks in the IMHO correct folder:
Oct 6 15:25:02 ipx02 dovecot: imap-login: Login: user=<user6@example.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Loading modules from directory: /usr/lib/dovecot/modules/imap Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib01_acl_plugin.so Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib20_autocreate_plugin.so Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Module loaded: /usr/lib/dovecot/modules/imap/lib20_expire_plugin.so Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Effective uid=249, gid=249, home=/var/mail/vmail/example.com/user6/ Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: No acl_shared_dict setting - shared mailbox listing is disabled Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota root: name=INBOX backend=dict args=:proxy::quotadict Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=INBOX mailbox=* bytes=52428800 messages=0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=INBOX mailbox=Trash bytes=62914560 messages=0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota warning: bytes=49807360 (95%) messages=0 command=/usr/local/bin/quota-warning.sh 95 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota warning: bytes=41943040 (80%) messages=0 command=/usr/local/bin/quota-warning.sh 80 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota root: name=shared backend=dict args=example.com:ns=shared.:proxy::quotadict Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Quota rule: root=shared mailbox=* bytes=524288000 messages=0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): expire: pattern=Trash type=expunge secs=604800 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): expire: pattern=Spam type=expunge secs=2592000 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): dict quota: user=user6@example.com, uri=proxy::quotadict, noenforcing=0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): dict quota: user=example.com, uri=proxy::quotadict, noenforcing=0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Namespace: type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): maildir: data=~/Maildir Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): maildir++: root=/var/mail/vmail/example.com/user6//Maildir, index=, control=, inbox=/var/mail/vmail/example.com/user6//Maildir Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: initializing backend with data: vfile Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: acl username = user6@example.com Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: owner = 1 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl vfile: Global ACL directory: (null) Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Namespace: type=public, prefix=shared., sep=., inbox=no, hidden=no, list=yes, subscriptions=no Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): maildir: data=/var/mail/vmail/example.com/shared:INDEX=~/shared Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): maildir++: root=/var/mail/vmail/example.com/shared, index=/var/mail/vmail/example.com/user6//shared, control=, inbox= Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: initializing backend with data: vfile Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: acl username = user6@example.com Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl: owner = 0 Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): acl vfile: Global ACL directory: (null) Oct 6 15:25:02 ipx02 dovecot: IMAP(user6@example.com): Namespace : Using permissions from /var/mail/vmail/example.com/user6//Maildir: mode=0700 gid=-1 Oct 6 15:25:03 ipx02 dovecot: IMAP(user6@example.com): acl vfile: reading file /var/mail/vmail/example.com/shared/.Transfer.Test1/dovecot-acl Oct 6 15:25:03 ipx02 dovecot: IMAP(user6@example.com): expire: No expiring in mailbox: shared.Transfer.Test1 Oct 6 15:25:03 ipx02 dovecot: IMAP(user6@example.com): Disconnected: Logged out bytes=85/743 (last four lines are important)
Is this a possible bug related to ACL and Public Namespaces, or do I have to create the public folders also in the local Maildir and symlink the dovecot-acl to the public folder?
With the symlinks in place (per Folder), dovecot finds the ACL-files and lists the folders also in RoundCube's "Folder"-pane and Apple Mail finds the public folders too.
Upgrading to 1.2.5 failed so far, as my build-server has problems with automake, have to look into this too.
Thanks in advance!
best regards,
Anton Dollmaier
Output of dovecot -n:
# 1.2.3: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-6-686 i686 Debian 5.0.3 log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps pop3s pop3 listen: *, [::] ssl_cert_file: /etc/dovecot/dovecot.pem ssl_key_file: /etc/dovecot/dovecot.pem disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_max_userip_connections(default): 25 mail_max_userip_connections(imap): 25 mail_max_userip_connections(pop3): 10 first_valid_uid: 249 mail_access_groups: poponly mail_privileged_group: poponly mail_location: maildir:~/Maildir mail_debug: yes mail_executable(default): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugins(default): quota imap_quota acl autocreate expire mail_plugins(imap): quota imap_quota acl autocreate expire mail_plugins(pop3): quota expire mail_plugin_dir(defamiult): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 imap_client_workarounds(default): netscape-eoh imap_client_workarounds(imap): netscape-eoh imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh namespace: type: private separator: . inbox: yes list: yes subscriptions: yes namespace: type: public separator: . prefix: shared. location: maildir:/var/mail/vmail/%d/shared:INDEX=~/shared list: yes lda: postmaster_address: postmaster@server.example.com mail_plugins: quota expire quota_full_tempfail: yes auth_socket_path: /var/run/dovecot/auth-master log_path: /var/log/dovecot-deliver.log info_log_path: /var/log/dovecot-deliver.log sieve_global_dir: /etc/dovecot/sieve/ sieve_global_path: /etc/dovecot/default.sieve auth default: mechanisms: plain login passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf passdb: driver: sql args: /etc/dovecot/dovecot-sql-master.conf userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 432 user: vmail group: vmail plugin: quota: dict:INBOX::proxy::quotadict quota2: dict:shared:%d:ns=shared.:proxy::quotadict quota_rule: *:storage=50M:messages=1000 quota_rule2: Trash:storage=50M:messages=100 quota2_rule: *:storage=100M:messages=1000 quota_warning: storage=95%% /usr/local/bin/quota-warning.sh 95 quota_warning2: storage=80%% /usr/local/bin/quota-warning.sh 80 acl: vfile expire: Trash 7 Spam 30 expire_dict: proxy::expire autocreate: Trash autocreate2: Spam autocreate3: Sent autosubscribe: Trash autosubscribe2: Spam autosubscribe3: Sent dict: quotadict: mysql:/etc/dovecot/dovecot-dict-quota.conf expire: mysql:/etc/dovecot/dovecot-dict-expire.conf
On Tue, 2009-10-06 at 16:18 +0200, Anton Dollmaier wrote:
When checking the Folder Subscriptions in RoundCube, Dovecot tries to find an ACL file for the public folders, but does not check the public folders, but in the private Maildir: ..
Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.shared.Transfer/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): acl vfile: file /var/mail/vmail/example.com/user6//Maildir/.shared.Transfer.Test1/dovecot-acl not found Oct 6 15:24:16 ipx02 dovecot: IMAP(user6@example.com): Disconnected: Logged out bytes=73/819
Oh, right, that's because the subscriptions are in the private namespace. Hmm. I'll try to get this fixed soon, but if you want to get it working now you could use:
namespace public { prefix = shared. location = maildir:/var/mail/vmail/%d/shared:CONTROL=~/shared:INDEX=~/shared subscriptions = yes }
Although there's also a bug related to that where LSUB "" % won't list "shared" and that breaks some clients. That's fixed in v1.2.6.
Hi Timo,
Oh, right, that's because the subscriptions are in the private namespace. Hmm. I'll try to get this fixed soon, but if you want to get it working now you could use:
namespace public { prefix = shared. location = maildir:/var/mail/vmail/%d/shared:CONTROL=~/shared:INDEX=~/shared subscriptions = yes }
Then subscriptions will be handled directly in the public namespace, therefor all users would have the same folders subscribed, right?
That would cause permission problems, as not all users are allowed to see every folder.
Although there's also a bug related to that where LSUB "" % won't list "shared" and that breaks some clients. That's fixed in v1.2.6.
Such commands are actually performed and logged in the rawlog (e.g. 20091005-221025-26325.in), but I don't see any responses back to the client.
I'll upgrade to 1.2.6 and check if the problem still occurs.
On Tue, 2009-10-06 at 17:18 +0200, Anton Dollmaier wrote:
Hi Timo,
Oh, right, that's because the subscriptions are in the private namespace. Hmm. I'll try to get this fixed soon, but if you want to get it working now you could use:
namespace public { prefix = shared. location = maildir:/var/mail/vmail/%d/shared:CONTROL=~/shared:INDEX=~/shared subscriptions = yes }
Then subscriptions will be handled directly in the public namespace, therefor all users would have the same folders subscribed, right?
No, that's why I added the :CONTROL=~/shared.
participants (2)
-
Anton Dollmaier
-
Timo Sirainen