[Dovecot] Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround

Matt Zukowski mzukowski at urbacon.net
Mon May 7 21:47:40 EEST 2007

I would just add to this that simply putting a dovecot-acl file in a
shared folder with "user=<username> <permissions>" does work just fine
for us (without the complicated setup described below). Our problem is
that group-based restrictions don't work at all (i.e. "group=<groupname>
<permissions>", as described in the manual).

I'm also trying to figure out what the force-group ACL identifier is
supposed to mean.

.... I gotta stop hitting "reply" for this list. I keep accidentally 
sending messages to the original authors rather than to the mailing list :)

Jim Horner wrote:
>> In courier-imap, we were able to take advantage of the maildir structure
>> and standard unix users/groups to allow 'decsstaff' members to have full
>> write access while 'decsall' members only have r/o unless also a member of
>> 'decsstaff':
>> -rw-rw-r--  1 postlocal  decsstaff  37597 May  5 23:37
>> /egr/mail/shared/decs/.support.In/cur/1178422658.M533373P54269.ice
>> drwxrwxr-x  2 postlocal  decsstaff  24576 May  5 23:37
>> /egr/mail/shared/decs/.support.In/cur
>> drwxrws---  6 postlocal  decsall  4096 Apr 22 18:08
>> /egr/mail/shared/decs/.support.In drwxrwsr-x  34 postlocal  wheel  4096 May
>>  1 07:23 /egr/mail/shared/decs
>>   location:
>> maildir:/egr/mail/shared-dovecot2/vprgs:CONTROL=%h/Maildir/dovecot/public/c
>> ontrol/vprgs:INDEX=%h/Maildir/dovecot/public/indexes/vprgs namespace:
>>   type: private
>>   separator: /
>>   prefix: mail/
>>   hidden: yes
>> plugin:
>>   acl: vfile:/usr/local/etc/dovecot-acls
> I use shared folders. I posted a while back about my setup. There have been a 
> few changelogs since then concerning ACLs. My setup might be whacked but it 
> still continues to work. The simplest example I have is root mail. 
> I have mail folders 
> drwxrwx---  4 rootmail users /home/services/mail/rootmail/Maildir
>      drwxrwx---  4 rootmail users ../.RootmailFolder
>      drwxrwx---  4 rootmail users ../.RootmailFolder.general
> To get around ACL plugins downside of being unaware of namespaces I create 
> a "RootmailFolder" underneath Maildir. No one else probably (hopefully) will 
> have a folder named that. If they did then the permissions in the ACL  
> plug-in directory would override "owner permissions". Were that to happen 
> then you could just put a dovecot-acl file in the user's directory to 
> compensate though this is a fuzzy part... this used to work but I haven't 
> needed to test it so I don't know if it does still.
> I then created a general folder under that. I have a sieve script which pumps 
> all mail into the general folder. So this is rootmail's "inbox". I did this 
> as a workaround.
> <might not be needed nor work anymore>
> If you actually want a user 'rootmail' to use an imap client and log into 
> their mailbox then you would create a file 
> /home/services/mail/rootmail/Maildir/dovecot-acl
> /home/services/mail/rootmail/Maildir/.RootmailFolder/dovecot-acl
> /home/services/mail/rootmail/Maildir/.RootmailFolder.general/dovecot-acl
> all the files contain:
> user=rootmail lrwstie
> </might not be needed nor work anymore>
> To use the ACL plug-in files must be create in this directory:
>> plugin:
>>   acl: vfile:/usr/local/etc/dovecot-acls
> so I have (using your path) files:
> /usr/local/etc/dovecot-acls/RootmailFolder
> /usr/local/etc/dovecot-acls/RootmailFolder.general
> These files contain
> user=jhorner lrwstie
> My namespace is setup as:
> namespace public {
>     separator = .
>     prefix = ROOTMAIL.
>     location = 
> maildir:/home/services/mail/rootmail/Maildir:CONTROL=%h/shared-settings/rootmail/control:INDEX=%h/shared-settings/rootmail/index
>     hidden = no
>     inbox = no
> }
> Everyone can see the namespace but no one but me can access the namespace 
> because RootmailFolder is only accessible by me. Those who do try to access a 
> forbidden folder get a curt techie error. However, most clients do not show 
> the namespace because there aren't any folders underneath the namespace that 
> are accessible so this is not a problem for me.
> I also have a COMPANY share setup similarly. However there are many many 
> folders underneath this share and different people can access different 
> folders and I accomplish that using the ACL plug-in similar to above.
> I used to use Courier and I was able to duplicate shared folders via the ACL 
> plug-in though the folders are now one level deeper, i.e. 
> ROOTMAIL/RootmailFolders/general as opposed to ROOTMAIL/general 
> (namespace/foldername). Some users did complain. Oh well... most are still 
> breathing.
> Jim

This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. 
Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.

More information about the dovecot mailing list