[Dovecot] Permissions in shared folders

[Lukas Haase]

Hi,

On my mail server I want to implement shared folders for each workgroup 
where there are many workgroups.

One way would be to create a separate namespace for each workgroup.
However, this does not scale well so I decided to use a single Shared 
mailbox and use ACLs:

namespace public {
	separator = .
	prefix = Shared.
	location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
}

Each workgroup should get a subfolder in "Shared". Until now, this 
works, I create .Group1, .Group2 and assign correct group permissions 
and ACL files.

However, now a user from group1 wants to create a subfolder in his IMAP 
folder. Since the permissions for /var/mail/shared/.Group1 are correct 
(writeable to group1 and the user is member of group1 and 'k' ACL 
permissions are active) I would expect it to work.

However, for obvious reasons, the *sub*folder is created as

/var/mail/shared/.Group1.Subfolder

so it is actually not a subfolder in sense of the filesystem but rather 
a folder inside /var/mail/shared

However, the user does (and should) not have write permissions to 
/var/mail/shared (only to /var/mail/shared/.Group1).

Is there a way to overcome this problem? Why can't dovecot just use 
/var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It 
would make everything a lot easier.

The one option is to make /var/mail/shared world-writeable - which is 
not really a good option.

A second option might be to use ACLs and give each group write 
permissions to /var/mail/shared. However, not even this seems very 
"clean" to me.

What is the best way to handle this?

Best regards,
Luke