[Dovecot] Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround
mcdouga9 at egr.msu.edu
Fri May 11 00:12:51 EEST 2007
Thanks for the clarification, I got around to testing the configuration
you claim to use, but unfortunately I cannot get an ACL to have any affect
on the mailbox access :( Can you tell me what acl flags you are restricting
to (rl, etc) and what actual affect that has on the mail client in terms of
behavior when attempting to perform an unallowed action?
I get this in the log:
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: initializing backend with data:
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: acl username = mcdouga9
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: owner username = mcdouga9
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: Global ACL directory:
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: reading file
# ls -ld .support.In
drwxrws--- 5 postlocal decsall 4096 May 9 12:55 .support.In
# ls -ld .support.In/cur
drwxrwxr-x 2 postlocal decsstaff 8192 Apr 24 12:47 .support.In/cur
# ls -ld .support.In/cur/1177428192.M918738P11081.zee
-rw-rw-r-- 1 postlocal decsstaff 2904 Apr 24 11:23 .support.In/cur/1177428192.M918738P11081.zee
mcdouga9 is in decsstaff, which has full write permission to the directory
I have inside that dovecot-acl:
I tried just user=mcdouga9 rl first, no effect, added group-override=wheel
(mcdouga9 is a member of wheel) and restarted thunderbird, still seem to have
full access to the mailbox. Argh.
On Tue, May 08, 2007 at 02:36:24PM -0400, Matt Zukowski wrote:
The shared mailbox and all its files and subdirectories are owned by the
'dovecot' user and by the 'domain users' group that all users belong to. The
ACL restrictions cause a reduction (i.e. more fine-grained constraint) in
privileges. In other words, at the system-file level, everyone can read the
directory/files, but at the ACL level, only members of some particular list
of groups should be able to read them.
And as I said, the user=<username> constraint seems to work fine, but
group=<groupname> does not. It looks like the group=<groupname> constraint
just never matches anyone. So I might have group=admins and "joeblow" is in
group admins, but Dovecot thinks that he isn't.
Adam McDougall wrote:
> What are the directory and file permissions of your shared folder,
> and do your <permissions> cause an increase or reduction of permissions
> compared to the dir and file permissions, or some of both?
> On Mon, May 07, 2007 at 02:47:40PM -0400, Matt Zukowski wrote:
> I would just add to this that simply putting a dovecot-acl file in a
> shared folder with "user=<username> <permissions>" does work just fine
> for us (without the complicated setup described below). Our problem is
> that group-based restrictions don't work at all (i.e. "group=<groupname>
> <permissions>", as described in the manual).
> I'm also trying to figure out what the force-group ACL identifier is
> supposed to mean.
> .... I gotta stop hitting "reply" for this list. I keep accidentally
> sending messages to the original authors rather than to the mailing list
This e-mail message is privileged, confidential and subject to copyright.
Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent
courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il
est interdit de l'utiliser ou de le divulguer sans autorisation.
More information about the dovecot