[Dovecot] Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround
Jim Horner
jhorner at arinbe.com
Mon May 7 19:46:33 EEST 2007
> In courier-imap, we were able to take advantage of the maildir structure
> and standard unix users/groups to allow 'decsstaff' members to have full
> write access while 'decsall' members only have r/o unless also a member of
> 'decsstaff':
>
> -rw-rw-r-- 1 postlocal decsstaff 37597 May 5 23:37
> /egr/mail/shared/decs/.support.In/cur/1178422658.M533373P54269.ice
> drwxrwxr-x 2 postlocal decsstaff 24576 May 5 23:37
> /egr/mail/shared/decs/.support.In/cur
> drwxrws--- 6 postlocal decsall 4096 Apr 22 18:08
> /egr/mail/shared/decs/.support.In drwxrwsr-x 34 postlocal wheel 4096 May
> 1 07:23 /egr/mail/shared/decs
> location:
> maildir:/egr/mail/shared-dovecot2/vprgs:CONTROL=%h/Maildir/dovecot/public/c
>ontrol/vprgs:INDEX=%h/Maildir/dovecot/public/indexes/vprgs namespace:
> type: private
> separator: /
> prefix: mail/
> hidden: yes
> plugin:
> acl: vfile:/usr/local/etc/dovecot-acls
I use shared folders. I posted a while back about my setup. There have been a
few changelogs since then concerning ACLs. My setup might be whacked but it
still continues to work. The simplest example I have is root mail.
I have mail folders
drwxrwx--- 4 rootmail users /home/services/mail/rootmail/Maildir
drwxrwx--- 4 rootmail users ../.RootmailFolder
drwxrwx--- 4 rootmail users ../.RootmailFolder.general
To get around ACL plugins downside of being unaware of namespaces I create
a "RootmailFolder" underneath Maildir. No one else probably (hopefully) will
have a folder named that. If they did then the permissions in the ACL
plug-in directory would override "owner permissions". Were that to happen
then you could just put a dovecot-acl file in the user's directory to
compensate though this is a fuzzy part... this used to work but I haven't
needed to test it so I don't know if it does still.
I then created a general folder under that. I have a sieve script which pumps
all mail into the general folder. So this is rootmail's "inbox". I did this
as a workaround.
<might not be needed nor work anymore>
If you actually want a user 'rootmail' to use an imap client and log into
their mailbox then you would create a file
/home/services/mail/rootmail/Maildir/dovecot-acl
/home/services/mail/rootmail/Maildir/.RootmailFolder/dovecot-acl
/home/services/mail/rootmail/Maildir/.RootmailFolder.general/dovecot-acl
all the files contain:
user=rootmail lrwstie
</might not be needed nor work anymore>
To use the ACL plug-in files must be create in this directory:
> plugin:
> acl: vfile:/usr/local/etc/dovecot-acls
so I have (using your path) files:
/usr/local/etc/dovecot-acls/RootmailFolder
/usr/local/etc/dovecot-acls/RootmailFolder.general
These files contain
user=jhorner lrwstie
My namespace is setup as:
namespace public {
separator = .
prefix = ROOTMAIL.
location =
maildir:/home/services/mail/rootmail/Maildir:CONTROL=%h/shared-settings/rootmail/control:INDEX=%h/shared-settings/rootmail/index
hidden = no
inbox = no
}
Everyone can see the namespace but no one but me can access the namespace
because RootmailFolder is only accessible by me. Those who do try to access a
forbidden folder get a curt techie error. However, most clients do not show
the namespace because there aren't any folders underneath the namespace that
are accessible so this is not a problem for me.
I also have a COMPANY share setup similarly. However there are many many
folders underneath this share and different people can access different
folders and I accomplish that using the ACL plug-in similar to above.
I used to use Courier and I was able to duplicate shared folders via the ACL
plug-in though the folders are now one level deeper, i.e.
ROOTMAIL/RootmailFolders/general as opposed to ROOTMAIL/general
(namespace/foldername). Some users did complain. Oh well... most are still
breathing.
Jim
More information about the dovecot
mailing list