[Dovecot] acl with hierarchy separators mismatched config

Tue Aug 23 10:52:15 EEST 2011

Hi there,

I'm testing dovecot 2.0.13 on Debian squeeze (deb from http://xi.rename-it.nl/debian) with the following doveconf -n.

--------
# 2.0.13 (1449a2e2c1f5): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 6.0.2 first_valid_uid = 8
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = listescape mail_log notify acl
namespace {
  inbox = yes
  location =   prefix =   separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/var/mail/public:INDEX=~/Maildir/public
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}
passdb {
  driver = pam
}
plugin {
  acl = vfile
}
protocols = " imap"
ssl = no
userdb {
  args = uid=mail gid=mail home=/var/mail/private/%u
  driver = static
}
protocol imap {
  mail_plugins = listescape mail_log notify acl imap_acl
}
--------

My primary interest is acl and listescape enabled folders in the public namespace.  I've chosen "/" as the hierarchy separator to support folder names with dots (".").

/var/mail/public is a maildir with the maildir++ layout where the separator is a dot (".").  So I set up intial acls and folders as follows:

--------
# mkdir /var/mail/public
# echo 'anyone lra' >/var/mail/public/dovecot-acl # maildirmake.dovecot /var/mail/public/.aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/.aaa/dovecot-acl
# chown -R mail.mail /var/mail/public
--------

But my attempt to create a mailbox under Public/aaa fails with "Permission denied".

--------
# imtest -a yaegashi localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
Please enter your password: C: A01 AUTHENTICATE PLAIN ?????????????????/
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk
S: A01 OK Logged in
Authenticated.
Security strength factor: 0
. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. NO [NOPERM] Permission denied
--------

If the layout of /var/mail/public switched to "fs" where the separator is "/", mailbox creation succeeds as expected.

--------
namespace {
  list = children
  location = maildir:/var/mail/public:INDEX=~/Maildir/public:LAYOUT=fs
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}
--------
--------
# maildirmake.dovecot /var/mail/public/aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/aaa/dovecot-acl
# chown -R mail.mail /var/mail/public
# imtest -a yaegashi localhost
....
. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. OK Create completed.
. getacl Public/aaa/bbb * ACL "Public/aaa/bbb" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/1.2.3
. OK Create completed.
. create Public/aaa/cur
. NO Invalid mailbox name: Public/aaa/cur
--------

Is this behavior expected?  Misconfiguration or dovecot bug?

I prefer the maildir++ layout with listescape as it's reserved-folder-name free (eg. cur new tmp).

Regards,
-- 
YAEGASHI Takeshi <yaegashi at debian.org>