[Dovecot] Global ACL configuration problems: mailboxes not visible, set ACLs not honoured

Andreas Ntaflos daff at pseudoterminal.org
Tue Sep 1 12:34:16 EEST 2009 

Hi list, 

I am having trouble getting global ACLs to work correctly. This is, I 
assume, an issue separate from the one I reported a few days ago [1], 
where the imap process crashes when creating subfolders of folders with 
an ACL set.

As you can see from my 'dovecot -n' output below I have three 
namespaces; two private ("Backup" and the default, empty one) and one 
public ("Public"). I also use the autocreate plugin to create a few 
standard folders. Those folders, along with some others, should have 
some special permissions and restrictions in place. I.e. messages must 
not be deletable, the mailbox itself may not be deleted, etc.

I want to use global ACLs so that I don't have to put a dovecot-acl file 
in every folder that I want to have an ACL set. Thus, according to the 
wiki, if have set

acl:vfile:/etc/dovecot/acls

I can create files named "Sent", "Trash", "Drafts", "INBOX.Spam" 
and "Backup.sent", "Backup.received", "Public.Spam", "Public.Ham" in 
the directory /etc/dovecot/acls. These files contain the ACL, such 
as "owner lrp", "owner lrwsipk" and "authenticated lrwstipk". Any and 
all "dovecot-acl-list" files have been deleted before testing and 
reproducing that problem again just now.

Is there anything more to it? I ask, because I can't seem to get it to 
work correctly using this approach with global ACLs. Problems include:

 - Can't get the mailboxes "Spam" and "Ham" under the "Public" namespace 
to show up in the mail client (Thunderbird, KMail, Horde/IMP) at all. 
These have the ACL "authenticated lrwstipk" set so the should be 
visible to authenticated clients, shouldn't they? All I see is the 
namespace with no mailboxes beneath it.
 - Deleting messages from the "Backup.sent" or "Backup.received" 
mailboxes is possible from Thunderbird, KMail and Horde/IMP, despite 
having the ACL "owner rlp" set, which, if I understand correctly, 
should only allow users to lookup, read and post to the mailing list 
via LDA/Sieve.

What am I doing wrong? It seems to me that the global ACL files for 
namespaces other than the empty one are not at all considered? Do I 
have to use another notation for the ACL file names?

Any help is much appreciated.

Thanks in advance!

Configuration information follows.

Contents of /etc/dovecot/acl
============================

Backup.received
   owner rlp
Backup.sent
   owner rlp
Drafts
   owner lrwstipk
INBOX.Spam
   owner lrwstipk
Public.Ham
   authenticated lrwstipk
Public.Spam
   authenticated lrwstipk
Sent
   owner lrwstipk
Trash
   owner lrwstipk


'dovecot -n'
============

# 1.2.4: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.26-2-686 i686 Debian 5.0.2
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: managesieve imap imaps pop3 pop3s
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_executable(managesieve): /usr/local/libexec/dovecot/managesieve-login
mail_access_groups: mail
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_drop_priv_before_exec: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_executable(managesieve): /usr/local/libexec/dovecot/managesieve
mail_plugins(default): autocreate acl
mail_plugins(imap): autocreate acl
mail_plugins(pop3):
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
mail_plugin_dir(managesieve): /usr/local/lib/dovecot/managesieve
namespace:
  type: public
  separator: .
  prefix: Public.
  location: 
maildir:/var/mail/public:CONTROL=~/Maildir/control/public:INDEX=~/Maildir/index/public
  list: yes
namespace:
  type: private
  separator: .
  prefix: Backup.
  location: maildir:~/Maildir-backup
  hidden: yes
  list: no
namespace:
  type: private
  separator: .
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  log_path:
  info_log_path:
  auth_socket_path: /var/run/dovecot/auth-master
  postmaster_address: postmaster at mailtest0.rise-s.com
  mail_plugins: sieve acl
auth default:
  mechanisms: plain login
  passdb:
    driver: pam
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: passwd
  userdb:
    driver: static
    args: uid=vmail gid=vmail home=/var/vmail/%Ld/%Ln 
allow_all_users=yes
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
plugin:
  sieve: ~/.dovecot.sieve
  sieve_dir: ~/sieve
  sieve_global_path: /etc/dovecot/sieve/default.sieve
  sieve_global_dir: /etc/dovecot/sieve/global/
  sieve_before: /etc/dovecot/sieve/before/
  autocreate: Trash
  autocreate2: Drafts
  autocreate3: Sent
  autocreate4: INBOX.Spam
  autosubscribe: Trash
  autosubscribe2: Drafts
  autosubscribe3: Sent
  autosubscribe4: INBOX.Spam
  acl: vfile:/etc/dovecot/acl

[1] http://dovecot.org/list/dovecot/2009-August/042467.html
-- 
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090901/f6d95b26/attachment.bin

More information about the dovecot mailing list